goodreads.comCORS Configuration Checker
Detect CORS misconfigurations that allow unauthorized cross-origin requests to your API.
No scan data yet for goodreads.com
We haven't scanned goodreads.com for CORS yet. Run a check to see results.
What the CORS Configuration Checker checks:
- Access-Control-Allow-Origin: * (wildcard) on authenticated endpoints
- Reflecting arbitrary Origin headers without validation
- Access-Control-Allow-Credentials: true with wildcard origins
- Null origin allowlisting
- Overly broad origin patterns (e.g., *.evil.com bypass)
Common CORS Issues
- Wildcard origin (*) on credentialed endpoints
- Reflecting arbitrary Origin without validation
- Null origin allowed
- Missing Vary: Origin header (cache poisoning risk)
What This Check Covers
Cross-Origin Resource Sharing (CORS) misconfigurations are among the most exploited web vulnerabilities. A misconfigured CORS policy can allow any website on the internet to make authenticated requests to your API on behalf of your users, leading to data theft and account takeover.
- Access-Control-Allow-Origin: * (wildcard) on authenticated endpoints
- Reflecting arbitrary Origin headers without validation
- Access-Control-Allow-Credentials: true with wildcard origins
- Null origin allowlisting
- Overly broad origin patterns (e.g., *.evil.com bypass)
Why it matters
CORS misconfigurations allow attacker-controlled websites to silently read authenticated API responses in the victim's browser. This is a direct path to account takeover and data exfiltration without any user interaction beyond visiting a malicious page.