CORS- Test non white listed domain can't access rest api

I have to test using postman that non white listed domain can’t access rest api. I am new to CORS- I have following questions-

  1. When I send say POST request from postman, what will be origin header value?
  2. To test that non whitelisted domain can not access rest api, do I have to set origin header as white listed domain and then post request and check the headers in response?
    Please advice. Thanks
  1. You may check this issue.
  2. That’s right, I suggest testing with curl as it gives more flexibility than browsers (and these have their own policies, very strict).

Postman does not give you full control over headers, because it is a browser based application and the borswer needs to respect the spec and so wont let you meddle with restricted headers easily (there are ways around it, but they are ugly). As @matiasb said, curl is much better for this (if more complex).