Use this little website to test if a URL is setup correctly to work with CORS.
Shareable link: https://cors-test.codehappy.dev/?method=post&origin=https%3A%2F%2Fservicios.cfia.or.cr&url=https%3A%2F%2Ftest-apt.cfia.or.cr
This url can only be loaded by pages that match https://servicios.cfia.or.cr. If you're trying to load it from a different origin and it's not working, you'll need to change it so the access-control-allow-origin header is set to *.
These are the response headers received when making the request.
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: https://servicios.cfia.or.cr
access-control-expose-headers: X-Total-Count
access-control-max-age: 3600
alt-svc: h3=":443"; ma=86400; persist=1
cache-control: private
cf-cache-status: DYNAMIC
cf-ray: 9fd2b59da80de88e-CMH
content-length: 3490
content-security-policy: default-src 'none'; script-src 'report-sample' https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js https://static.videoask.com/embed/embed.js https://www.videoask.com/embed/embed.js https://maps.googleapis.com https://www.paypal.com https://www.paypalobjects.com https://api.smooch.io/ https://unpkg.com/ http://*.cfia.or.cr https://*.cfia.or.cr https://*.jquery.com https://*.alignetsac.com https://*.verifika.com https://cdn.datatables.net/ 'unsafe-eval' 'unsafe-inline' blob: https://www.google-analytics.com/analytics.js https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/releases/ https://static.zdassets.com/web_widget/classic/latest/ https://www.googletagmanager.com/ https://static.zdassets.com/ https://analytics.google.com/ https://www.google-analytics.com/ https://*.cloudfront.net https://cdn.jsdelivr.net/ https://cdnjs.cloudflare.com/; media-src https://*.cfia.or.cr https://*.zdassets.com blob:; object-src 'none'; img-src * data: blob:; style-src * 'unsafe-inline' 'report-sample'; manifest-src https://*.cfia.or.cr; font-src https: data:; connect-src https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js.map https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.3/umd/popper.min.js.map https://www.paypal.com/ https://www.paypalobjects.com/ http://*.cfia.or.cr https://*.cfia.or.cr https://cfia.aurainteractiva.com/ https://*.hacienda.go.cr https://analytics.google.com https://www.google-analytics.com/ https://*.googleapis.com https://*.google.com https://stats.g.doubleclick.net/ https://*.alignetsac.com https://*.verifika.com https://ka-f.fontawesome.com/ wss://widget-mediator.zopim.com wss://localhost:31337 https://localhost:31337 wss://*.cfia.or.cr wss://api.smooch.io/ https://ekr.zdassets.com/ https://*.zendesk.com https://*.placetopay.com; frame-ancestors https://*.cfia.or.cr https://*.google.com https://*.alignetsac.com https://*.verifika.com; frame-src https://www.paypal.com/ https://*.cfia.or.cr https://*.google.com https://*.alignetsac.com https://*.verifika.com; base-uri 'self'; report-uri https://sso.cfia.or.cr/csp-receiver/ReceiveCspReport.ashx; report-to csp-endpoint;
content-type: text/html; charset=utf-8
date: Sun, 17 May 2026 12:43:45 GMT
permissions-policy: geolocation=(), microphone=(), camera=self, payment=(), usb=()
referrer-policy: strict-origin-when-cross-origin
reporting-endpoints: csp-endpoint="https://dev-sso.cfia.or.cr/csp-receiver/ReceiveCspReport.ashx"
server: cloudflare
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Origin
x-aspnet-version: 4.0.30319
CORS tester was built by @mscccc. The code is available on GitHub. Sponsored by HTML/CSS to Image.