CORS Configuration Checker
Cross-Origin Resource Sharing (CORS) misconfigurations are among the most exploited web vulnerabilities. A misconfigured CORS policy can allow any website on the internet to make authenticated requests to your API on behalf of your users, leading to data theft and account takeover.
What it checks
- ✓Access-Control-Allow-Origin: * (wildcard) on authenticated endpoints
- ✓Reflecting arbitrary Origin headers without validation
- ✓Access-Control-Allow-Credentials: true with wildcard origins
- ✓Null origin allowlisting
- ✓Overly broad origin patterns (e.g., *.evil.com bypass)
Why it matters
CORS misconfigurations allow attacker-controlled websites to silently read authenticated API responses in the victim's browser. This is a direct path to account takeover and data exfiltration without any user interaction beyond visiting a malicious page.
Common issues found
Wildcard origin (*) on credentialed endpointsReflecting arbitrary Origin without validationNull origin allowedMissing Vary: Origin header (cache poisoning risk)
Enter a domain to check
Free, instant CORS check — no account required
Other free security checkers
SSL/TLSCheck SSL certificate validity, expiry date, cipher suites, and TLS version configuration.Security HeadersCheck for Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and other critical security headers.Cookie SecurityCheck session cookies for HttpOnly, Secure, SameSite flags and other security attributes.DNS SecurityCheck DMARC, SPF, DKIM, DNSSEC and other DNS security records for email spoofing and phishing protection.