Analyze CORS headers instantly. Detect security vulnerabilities, misconfigurations, and common issues that could break your API or expose security risks.
Enter a URL to check its CORS headers:
Manually paste your response headers in key:value format:
Cross-Origin Resource Sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
CORS headers control which origins can access your API, what methods they can use, and what data they can send.
Access-Control-Allow-Origin: * allows any website to access your API. This is fine for public APIs but dangerous for APIs that handle sensitive data.
Access-Control-Allow-Credentials: true combined with Access-Control-Allow-Origin: * is invalid and browsers reject it.
Allowing all HTTP methods when only specific ones are needed increases attack surface.
Dynamically setting Access-Control-Allow-Origin to user-supplied values without validation can bypass origin checks.
Specifies which origins can access the resource.
Access-Control-Allow-Origin: https://example.com
Specifies which HTTP methods are allowed.
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Specifies which headers can be sent with requests.
Access-Control-Allow-Headers: Content-Type, Authorization
Indicates whether credentials can be sent.
Access-Control-Allow-Credentials: true