Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

CORS Policy for Browser Uploads: S3, R2, Presigned URLs, and ETag | Spoold Blog

Browser uploads need CORS even when authentication is already solved

Direct browser uploads to S3, Cloudflare R2, or another S3-compatible object store usually use a presigned URL. That URL authorizes the upload, but the bucket CORS policy decides whether the browser is allowed to make the cross-origin request. Spoold's S3/R2 CORS Generator & Debugger helps build and test that policy.

What belongs in a browser upload CORS policy?

A browser upload policy needs to match the actual request that JavaScript sends. For object storage uploads, that usually means a frontend origin, a write method, upload headers, exposed response headers, and a preflight cache duration.

Policy part	Browser upload meaning	Example
AllowedOrigins	Where your frontend runs	https://app.example.com
AllowedMethods	Upload method used by the signed URL	PUT, POST, HEAD
AllowedHeaders	Headers fetch/XMLHttpRequest sends	Content-Type, x-amz-*
ExposeHeaders	Response headers JS needs after upload	ETag
MaxAgeSeconds	How long preflight can be cached	3600

PUT vs POST browser uploads

A presigned PUT upload sends the file body directly to the object URL. A presigned POST upload usually submits form data with a policy, signature, key, and file field. Your CORS policy should include the method your backend generated.

Use PUT when frontend code calls fetch(url, { method: 'PUT' }).
Use POST when frontend code submits a form or FormData policy.
Include HEAD when the app checks object existence or metadata after upload.

Upload headers that trigger preflight

Browsers send an OPTIONS preflight when the request is not a simple CORS request. Uploads frequently send headers such as Content-Type, checksum headers, or S3 metadata headers. The bucket policy must allow those headers.

[
  {
    "AllowedOrigins": ["https://app.example.com"],
    "AllowedMethods": ["PUT", "POST", "HEAD"],
    "AllowedHeaders": [
      "Content-Type",
      "x-amz-*"
    ],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

Should browser uploads use wildcard origins?

A wildcard origin is tempting for quick testing, but it is usually too broad for app uploads. Use exact origins for production uploads, especially when the request includes credentials, tenant-specific URLs, or sensitive object keys. Public read assets are a better fit for broader origins.

Why ETag needs ExposeHeaders

After an upload succeeds, many apps read ETag to store the uploaded object hash or confirm the write. The browser hides most response headers from JavaScript unless the CORS policy lists them in ExposeHeaders. If upload succeeds but response.headers.get("ETag") returns null, expose the header.

How to test a browser upload policy

Generate the presigned URL from your backend as usual.
Open DevTools and run the upload from the browser.
Find the OPTIONS request and copy origin, method, and request headers.
Paste your policy and those details into the CORS debugger.
Apply the suggested fixed config and retest the browser request.

Browser upload CORS checklist

Origin includes protocol, host, and port.
Methods include PUT or POST, not only GET.
AllowedHeaders includes every preflight request header.
ExposeHeaders includes ETag if the app reads it.
Wildcard origins are avoided for credentialed or app-specific uploads.
Localhost origins are included during development.

Generate and debug in one place

Use the S3/R2 CORS Generator & Debugger to create a starting policy, edit the JSON in Monaco, download provider-specific CLI JSON, and diagnose failed browser uploads from the same page.

CORS Policy for Browser Uploads: S3, R2, Presigned URLs, and ETag

What belongs in a browser upload CORS policy?

PUT vs POST browser uploads

Upload headers that trigger preflight

Should browser uploads use wildcard origins?

Why ETag needs ExposeHeaders

How to test a browser upload policy

Browser upload CORS checklist

Generate and debug in one place

Related Tools

JSON Formatter

Related Articles

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps

R2 Presigned URL CORS: Fix Browser Upload and Download Errors

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads

Try It Now