Free CORS Misconfiguration Checker
Test a website for dangerous Cross-Origin Resource Sharing (CORS) misconfigurations — arbitrary origin reflection, a trusted "null" origin, wildcard allow-origin, and the critical credentials-with-permissive-origin combination that lets any site read authenticated responses.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this cors checker checks
How it works
Read-only· probe requests with a crafted Origin- 1We send requests carrying test Origin headers (a random origin, "null", and your own) and read the Access-Control-* response headers.
- 2We flag arbitrary origin reflection, trusting the "null" origin, wildcard allow-origin, and the critical allow-credentials-with-permissive-origin combination.
- 3Only safe methods are used and nothing is modified — we are reading how the server answers a cross-origin request, not changing anything.
Why it matters
A CORS policy that reflects any origin (especially with credentials) lets a malicious website read a logged-in user’s data from your API — one of the most common and impactful API misconfigurations. The fix is almost always to validate the Origin against a fixed allow-list instead of reflecting it.
Frequently asked questions
Is the CORS checker free?
Yes — it runs with no account or sign-up. Enter a domain and we send a cross-origin probe request to inspect the Access-Control-* response headers.
What is the most dangerous CORS setting?
Reflecting any Origin while also sending Access-Control-Allow-Credentials: true. That combination lets any website make authenticated requests to your API and read the response.
How do I fix a CORS misconfiguration?
Never reflect the Origin header blindly. Compare it against an explicit allow-list of trusted origins, and only send Access-Control-Allow-Credentials when the origin is on that list.