Postmantesting~15 mins

CORS testing in Postman - Build an Automation Script

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Verify CORS policy allows requests from allowed origins

Preconditions (2)

Step 1: Open Postman and create a new GET request to the API endpoint https://api.example.com/data

Step 2: Add a custom header 'Origin' with value 'https://allowed-origin.com'

Step 3: Send the request

Step 4: Observe the response headers

Step 5: Repeat the request with 'Origin' header set to 'https://disallowed-origin.com'

✅ Expected Result: For the allowed origin, the response includes header 'Access-Control-Allow-Origin' with value 'https://allowed-origin.com' and status code 200. For the disallowed origin, the response does not include 'Access-Control-Allow-Origin' header or returns a CORS error status.

Automation Requirements - Postman Tests

Assertions Needed:

Verify response status code is 200 for allowed origin

Verify 'Access-Control-Allow-Origin' header equals the allowed origin

Verify response status code is 403 or no 'Access-Control-Allow-Origin' header for disallowed origin

Best Practices:

Use environment variables for origin URLs

Write clear and descriptive test scripts in Postman Tests tab

Separate tests for allowed and disallowed origins

Use pre-request scripts to set headers dynamically

Automated Solution

Postman

pm.test('Allowed origin returns 200 status', function () {
    pm.response.to.have.status(200);
});

pm.test('Allowed origin is present in Access-Control-Allow-Origin header', function () {
    const allowedOrigin = pm.environment.get('allowedOrigin');
    pm.expect(pm.response.headers.get('Access-Control-Allow-Origin')).to.eql(allowedOrigin);
});

pm.test('Disallowed origin returns no Access-Control-Allow-Origin header or error', function () {
    const disallowedOrigin = pm.environment.get('disallowedOrigin');
    if (pm.request.headers.get('Origin') === disallowedOrigin) {
        pm.expect(pm.response.headers.has('Access-Control-Allow-Origin')).to.be.false;
        pm.expect(pm.response.code).to.be.oneOf([403, 401, 0]);
    }
}
);

This Postman test script checks the CORS behavior for allowed and disallowed origins.

First, it verifies the response status is 200 when the origin is allowed.

Then, it asserts the Access-Control-Allow-Origin header matches the allowed origin value stored in environment variables.

For the disallowed origin, it confirms the header is missing and the status code indicates an error or forbidden access.

Using environment variables makes the test flexible and reusable.

Tests are written clearly in the Postman Tests tab to provide immediate feedback after each request.

Common Mistakes - 3 Pitfalls

Hardcoding origin URLs inside test scripts

{'mistake': "Not setting the 'Origin' header in the request", 'why_bad': "CORS depends on the Origin header; without it, the server won't apply CORS rules properly.", 'correct_approach': "Always add the 'Origin' header in the request to simulate browser behavior."}

{'mistake': 'Checking only status code without verifying CORS headers', 'why_bad': 'Status code alone does not confirm if CORS policy is correctly enforced.', 'correct_approach': "Assert presence and correctness of 'Access-Control-Allow-Origin' header in response."}

Bonus Challenge

Now add data-driven testing with 3 different origins: one allowed, one disallowed, and one missing Origin header

Show Hint