developer.android.comCORS Configuration Checker
Detect CORS misconfigurations that allow unauthorized cross-origin requests to your API.
Last checked: Mar 19, 2026, 01:00 AM UTC
100/100
Grade A+Scan Results
CORS Score100/100
0
Critical
0
High
0
Medium
1
Passed
No issues detected — CORS looks good for developer.android.com.
Common CORS Issues
- Wildcard origin (*) on credentialed endpoints
- Reflecting arbitrary Origin without validation
- Null origin allowed
- Missing Vary: Origin header (cache poisoning risk)
What This Check Covers
Cross-Origin Resource Sharing (CORS) misconfigurations are among the most exploited web vulnerabilities. A misconfigured CORS policy can allow any website on the internet to make authenticated requests to your API on behalf of your users, leading to data theft and account takeover.
- Access-Control-Allow-Origin: * (wildcard) on authenticated endpoints
- Reflecting arbitrary Origin headers without validation
- Access-Control-Allow-Credentials: true with wildcard origins
- Null origin allowlisting
- Overly broad origin patterns (e.g., *.evil.com bypass)
Why it matters
CORS misconfigurations allow attacker-controlled websites to silently read authenticated API responses in the victim's browser. This is a direct path to account takeover and data exfiltration without any user interaction beyond visiting a malicious page.