CORS

Broken or missing CORS headers, including preflight failures.

ANY /cors-broken

Sends broken or missing CORS headers in four distinct modes. Handles OPTIONS preflight as well as regular methods, so behavior is testable end-to-end from a browser.

mode Brokenness mode. One of: missing (no CORS headers, default), wildcard-credentials (Origin=* with credentials=true — forbidden by spec), wrong-origin (hardcoded Access-Control-Allow-Origin: https://example.com), preflight-deny (403 on OPTIONS, 200 on GET).

details

CORS chaos is browser-only chaos — direct HTTP clients (curl, PowerShell, server-to-server) ignore CORS entirely and will happily consume the responses. To actually observe the failure, you need a browser making a cross-origin fetch() and the devtools network panel to inspect the blocked request.

The four modes correspond to real-world broken patterns:

missing — The server forgot to set CORS headers at all. Common when a new endpoint is added to an existing CORS-enabled API.
wildcard-credentials — Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true. Browsers reject this outright. A frequent footgun when copying CORS config between endpoints.
wrong-origin — Header always returns a fixed origin (https://example.com). Happens when a server returns a hardcoded ACAO instead of reflecting the request Origin against an allowlist.
preflight-deny — Preflight returns 403. The actual request is fine, but the browser never gets to make it. Often caused by overly strict WAF rules on OPTIONS requests.

Use X-Chaos-Cors-Mode in the response headers to verify your client hit the right mode.