Verifying CORS Headers with cURL

web browser developer tools showing network requests

Often times I'll find myself wanting to verify CORS headers on a specific static resource, for example, a webfont.

Consider the following command:

$ curl -I -s -X GET -H "Origin:"

In the above example I'm asking cURL to return the document head of the specified resource via a GET request. Here's the output:

HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Thu, 22 Oct 2015 21:15:04 GMT
Content-Type: application/font-sfnt
Content-Length: 106260
Connection: keep-alive
Last-Modified: Wed, 29 Jul 2015 11:33:54 GMT
Expires: Tue, 11 Oct 2016 21:15:04 GMT
Cache-Control: public, max-age=30672000
Access-Control-Allow-Origin: *
CF-Cache-Status: HIT
Accept-Ranges: bytes
CF-RAY: 2398372a295028ca-SJC

This is especially helpful when working with webfonts served from content delivery networks. To make things even easier and a little more DRY you can add the following function to your ZSH or Bash profile.

corscheck() {
  curl -I -s -X GET -H "Origin: $1" $2

The first argument will be the domain that will be making the request and the second is the URL of the resource in question. See the usage example below:

$ corscheck