Free tool
CORS Checker
Enter an API URL to test it for CORS misconfiguration. We send a request with an attacker-style origin and report whether your endpoint reflects arbitrary origins or exposes credentialed data cross-site.
Misconfigured CORS?
Read how to fix a CORS error the secure way, or get a full launch-readiness review with a signed clearance:
FAQ
- What is a CORS misconfiguration?
- CORS controls which websites can read your API's responses in a browser. A misconfiguration — reflecting any origin, or allowing credentials with a wildcard — lets a malicious site read authenticated data from your API on behalf of a logged-in victim.
- Is a wildcard (*) CORS policy always bad?
- No. Access-Control-Allow-Origin: * is fine for truly public, non-credentialed data. It becomes dangerous when combined with credentials, or when used for endpoints that return private data.
- Does this test preflight requests?
- This checks a simple GET with an attacker-style Origin. For full coverage, also confirm your OPTIONS preflight responses restrict origins, methods and headers.