The service sends an OPTIONS preflight request and a GET request with the header Origin: https://101ip.ru and analyses the CORS headers in the server response.
Access-Control-Allow-Origin — domains permitted to access (* — everyone);Access-Control-Allow-Methods — allowed HTTP methods (GET, POST, PUT, DELETE…);Access-Control-Allow-Headers — allowed request headers;Access-Control-Allow-Credentials — whether cookies and authorisation are permitted;Access-Control-Max-Age — preflight response cache time (seconds);Access-Control-Expose-Headers — headers accessible to client-side JS code.The value Access-Control-Allow-Origin: * forbids the use of Allow-Credentials: true. The browser will block such a response. For authenticated requests, a specific origin must be specified.
This means the server does not return Access-Control-Allow-Origin or any other CORS headers. You need to configure your server software (Nginx, Apache, IIS, or application code) to add the required headers. For example, in Nginx you can add the directive add_header Access-Control-Allow-Origin *;. After updating the configuration, re-run the check on 101ip.ru to confirm the headers appear.
A preflight OPTIONS request is sent by the browser to verify allowed methods and headers before the actual request. If the server does not respond to OPTIONS or returns an error (e.g. 403 or 500), CORS Checker will flag this. Make sure your server handles OPTIONS requests and returns the correct Access-Control-Allow-Methods and Access-Control-Allow-Headers headers. The problem often occurs when the server is not configured to accept the OPTIONS method.
Look at the Access-Control-Allow-Credentials header in the CORS Checker results. If it is set to true, the server permits cookies and authorisation data. Note that in this case Access-Control-Allow-Origin must specify a concrete origin, not a wildcard (*). If the header is absent or set to false, cookies will not be transmitted. To enable this, configure your server accordingly.