Test Overview
This test checks if the server correctly allows or blocks cross-origin requests based on CORS policy. It verifies the presence and correctness of CORS headers in the response.
0
0
CORS testing in Postman - Test Execution Trace
Test Code - Postman Tests
Postman
pm.test("CORS headers are present and correct", function () { pm.response.to.have.header("access-control-allow-origin"); const originHeader = pm.response.headers.get("access-control-allow-origin"); pm.expect(originHeader).to.be.oneOf(["*", "https://allowed-origin.com"]); pm.response.to.have.header("access-control-allow-methods"); const methodsHeader = pm.response.headers.get("access-control-allow-methods"); pm.expect(methodsHeader).to.include("GET"); });
Execution Trace - 4 Steps
| Step | Action | System State | Assertion | Result |
|---|---|---|---|---|
| 1 | Send HTTP OPTIONS request with Origin header 'https://allowed-origin.com' to the API endpoint | Postman sends preflight CORS request to server | - | PASS |
| 2 | Receive HTTP response with CORS headers from server | Response includes headers like 'access-control-allow-origin' and 'access-control-allow-methods' | - | PASS |
| 3 | Check if 'access-control-allow-origin' header is present and equals '*' or 'https://allowed-origin.com' | Header value is 'https://allowed-origin.com' | pm.expect(originHeader).to.be.oneOf(['*', 'https://allowed-origin.com']) | PASS |
| 4 | Check if 'access-control-allow-methods' header is present and includes 'GET' | Header value is 'GET, POST, OPTIONS' | pm.expect(methodsHeader).to.include('GET') | PASS |
Failure Scenario
Failing Condition: Server does not include 'access-control-allow-origin' header or it has a wrong value
Execution Trace Quiz - 3 Questions
Test your understanding
What does the test verify about the 'access-control-allow-origin' header?
Key Result
Always verify CORS headers in the server response to ensure cross-origin requests are properly allowed or blocked, preventing security issues.