Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

Fix Cloudflare R2 CORS Error: Preflight, Origin, Headers, and ETag | Spoold Blog

R2 CORS errors are usually one missing origin, method, or header

Cloudflare R2 CORS failures look noisy in the browser, but most reduce to a small mismatch: the frontend origin is not allowed, the method is missing, a request header is blocked, or a response header is not exposed. The S3/R2 CORS debugger checks those pieces directly.

Start with the exact browser error

Do not debug R2 CORS from the backend first. Open browser DevTools, go to Network, and find the failed request. If there is an OPTIONS request before your upload or download, that is the preflight check. Copy the request headers and the console error text.

R2 CORS error quick fixes

Error text	What to check	Policy fix
No Access-Control-Allow-Origin header	Origin request header	Add the exact origin to AllowedOrigins
Response to preflight request does not pass	OPTIONS request method	Add the intended method to AllowedMethods
Request header field Content-Type is not allowed	Access-Control-Request-Headers	Add Content-Type to AllowedHeaders
Request header field x-amz-acl is not allowed	Upload ACL or metadata headers	Add x-amz-acl or x-amz-* to AllowedHeaders
ETag is missing in JavaScript	Response headers app reads	Add ETag to ExposeHeaders

Checklist for fixing R2 CORS

Copy the frontend origin exactly: https://app.example.com is different from http://localhost:3000.
Check Access-Control-Request-Method. Uploads usually need PUT or POST.
Check Access-Control-Request-Headers. Add every listed header to AllowedHeaders.
If your app reads ETag, add it to ExposeHeaders.
If cookies or credentials are involved, avoid AllowedOrigins: ["*"].
After changing CORS, retest in the browser and watch for cached CDN responses.

Example fixed R2 policy

This example covers a common app upload flow: local development, production app origin, PUT/POST uploads, Content-Type, x-amz metadata headers, and JavaScript access to ETag.

[
  {
    "AllowedOrigins": [
      "https://app.example.com",
      "http://localhost:3000"
    ],
    "AllowedMethods": ["PUT", "POST", "HEAD"],
    "AllowedHeaders": [
      "Content-Type",
      "x-amz-*"
    ],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

Why localhost often breaks

CORS origins include scheme, host, and port. If your policy allows https://app.example.com, it does not allow http://localhost:3000. Add each development origin explicitly, and remove it later if your production policy should be stricter.

Debug R2 CORS with a preflight curl

A normal curl request will not show the browser's CORS decision. Use an OPTIONS request with Origin, Access-Control-Request-Method, and Access-Control-Request-Headers.

curl -i -X OPTIONS 'https://files.example.com/avatar.png' \
  -H 'Origin: https://app.example.com' \
  -H 'Access-Control-Request-Method: PUT' \
  -H 'Access-Control-Request-Headers: Content-Type,x-amz-meta-user-id'

Use the R2 CORS debugger

Paste the current policy into Spoold's CORS debugger. Enter the request origin, method, request headers, response headers your app reads, and error text. The debugger returns a diagnosis and a suggested fixed config.

Fix Cloudflare R2 CORS Error: Preflight, Origin, Headers, and ETag

Start with the exact browser error

R2 CORS error quick fixes

Checklist for fixing R2 CORS

Example fixed R2 policy

Why localhost often breaks

Debug R2 CORS with a preflight curl

Use the R2 CORS debugger

Related Tools

JSON Formatter

Related Articles

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps

R2 Presigned URL CORS: Fix Browser Upload and Download Errors

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads

Try It Now