0
0
Postmantesting~20 mins

CORS testing in Postman - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame
Challenge - 5 Problems
🎖️
CORS Testing Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:00remaining
Understanding CORS Preflight Requests

Which HTTP method is used by browsers to send a CORS preflight request before the actual request?

AOPTIONS
BGET
CPOST
DHEAD
Attempts:
2 left
💡 Hint

Think about a method that checks permissions without sending data.

Predict Output
intermediate
1:30remaining
CORS Response Header Behavior

What will be the value of the Access-Control-Allow-Origin header in the response if the server sets it to *?

Postman
GET /api/data HTTP/1.1
Host: example.com
Origin: https://client.com

Response Headers:
Access-Control-Allow-Origin: *
AThe browser allows requests from any origin.
BThe browser ignores the header and blocks the request.
CThe browser allows requests only from https://client.com.
DThe browser blocks requests from all origins.
Attempts:
2 left
💡 Hint

Consider what the wildcard * means in CORS headers.

assertion
advanced
2:00remaining
Validating CORS Headers in Postman Tests

Which Postman test script correctly asserts that the Access-Control-Allow-Origin header equals https://client.com?

Apm.test('CORS header is correct', () => { pm.response.to.have.header('Access-Control-Allow-Origin', 'https://client.com'); });
Bpm.test('CORS header is correct', () => { pm.expect(pm.response.headers.get('Access-Control-Allow-Origin')).to.equal('https://client.com'); });
Cpm.test('CORS header is correct', () => { pm.response.headers.has('Access-Control-Allow-Origin', 'https://client.com'); });
Dpm.test('CORS header is correct', () => { pm.expect(pm.response.headers.get('Access-Control-Allow-Origin')).to.be.true; });
Attempts:
2 left
💡 Hint

Look for the correct way to get a header and compare its value in Postman tests.

🔧 Debug
advanced
1:30remaining
Diagnosing CORS Failure in Postman

You send a request from Postman to a server and receive a 200 OK response, but your browser shows a CORS error. Why does this happen?

AThe browser caches old CORS headers causing the error.
BThe server is blocking Postman requests but allowing browsers.
CPostman automatically adds CORS headers, browsers do not.
DPostman does not enforce CORS, but browsers do.
Attempts:
2 left
💡 Hint

Think about how Postman and browsers handle CORS differently.

framework
expert
2:30remaining
Automating CORS Tests in Postman Collection

Which approach best automates testing that a server correctly handles CORS preflight requests in a Postman collection?

AUse Postman to disable CORS enforcement and verify server response status only.
BSend a GET request without Origin header and check for Access-Control-Allow-Origin in response.
CCreate a request with method OPTIONS, set Origin header, and assert Access-Control-Allow-* headers in test scripts.
DSend a POST request with Origin header and assert response body contains CORS headers.
Attempts:
2 left
💡 Hint

Remember how browsers perform preflight checks and what headers are involved.