CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which websites can make requests to your server. By default, browsers block cross-origin requests. CORS headers tell the browser which origins are allowed to access your resources.

Why is reflected origin dangerous?

If your server reflects any Origin header back in Access-Control-Allow-Origin (especially with Allow-Credentials: true), an attacker's website can make requests to your API on behalf of a logged-in user and read the response. This lets them steal sensitive data like user profiles, tokens, or private content.

Is Access-Control-Allow-Origin: * always bad?

No. For truly public resources (public APIs, CDN assets, open data), a wildcard origin is appropriate. It becomes a problem when combined with Access-Control-Allow-Credentials: true (which browsers actually block) or when used on endpoints that serve private data based on cookies or other authentication.

What is a CORS preflight request?

For 'non-simple' requests (PUT, DELETE, custom headers, etc.), browsers first send an OPTIONS request to check if the server allows the actual request. The server responds with allowed methods, headers, and origins. Misconfigured preflight responses can either block legitimate requests or allow dangerous ones.

How does CORS testing fit into penetration testing?

CORS misconfiguration is a common finding in web application penetration tests, especially in APIs. It can lead to session hijacking, data theft, and CSRF-like attacks. Maced tests for CORS issues as part of its comprehensive API security assessment.

Free CORS Checker

Test CORS configuration for any URL

Enter any URL to test its Cross-Origin Resource Sharing (CORS) configuration. This tool sends a request with a spoofed origin header and inspects the response to determine whether the server is vulnerable to cross-origin attacks from malicious websites.

Trusted by teams at

How it works

How CORS Checker works

Enter a URL

Paste any URL — typically an API endpoint or page you want to test. We add HTTPS if needed.

Send cross-origin requests

We send requests with a spoofed Origin header (https://evil.com) and check how the server responds — specifically whether it reflects the origin or allows credentials from untrusted domains.

Analyze CORS headers

Get a detailed breakdown of all CORS response headers, their security implications, and whether the configuration is safe or exploitable.

Features

What CORS Checker checks

Origin reflection detection

Tests whether the server blindly reflects any Origin header in Access-Control-Allow-Origin — a critical misconfiguration that lets any website make authenticated cross-origin requests.

Credentials exposure check

Detects if Access-Control-Allow-Credentials is set to true alongside a permissive Allow-Origin, which would allow attackers to steal authenticated user data from their browser.

Wildcard origin analysis

Identifies whether the server uses Access-Control-Allow-Origin: * and explains when this is safe (public APIs) versus dangerous (authenticated endpoints).

Preflight and method analysis

Checks Access-Control-Allow-Methods and Access-Control-Allow-Headers to identify overly permissive configurations that expose dangerous HTTP methods.

Use cases

Who should use the free CORS Checker

API Developers

Verify your API's CORS configuration is correctly scoped to trusted origins before deploying to production. Catch wildcard origins and reflected origins early.

Security Engineers

Audit CORS policies across your organization's APIs and web services. Identify endpoints that are vulnerable to cross-origin data theft from malicious websites.

Penetration Testers

Test for CORS misconfigurations during web application assessments. Origin reflection with credentials is a high-severity finding that enables cross-origin data exfiltration.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free CORS Checker.

Go beyond CORS Checker

This free CORS Checker checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free CORS Checker

Test CORS configuration for any URL

How CORS Checker works

Enter a URL

Send cross-origin requests

Analyze CORS headers

What CORS Checker checks

Origin reflection detection

Credentials exposure check

Wildcard origin analysis

Preflight and method analysis

Who should use the free CORS Checker

API Developers

Security Engineers

Penetration Testers

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free CORS Checker checks a handful of things. Maced's AI pentest checks thousands.

Free CORS Checkerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Test CORS configuration for any URLself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How CORS Checker worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter a URLself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Send cross-origin requestsself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Analyze CORS headersself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What CORS Checker checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Origin reflection detectionself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Credentials exposure checkself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Wildcard origin analysisself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Preflight and method analysisself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Who should use the free CORS Checkerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

API Developersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Security Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Penetration Testersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is CORS?

Why is reflected origin dangerous?

Is Access-Control-Allow-Origin: * always bad?

What is a CORS preflight request?

How does CORS testing fit into penetration testing?

This free CORS Checker checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free CORS Checker

Test CORS configuration for any URL

How CORS Checker works

Enter a URL

Send cross-origin requests

Analyze CORS headers

What CORS Checker checks

Origin reflection detection

Credentials exposure check

Wildcard origin analysis

Preflight and method analysis

Who should use the free CORS Checker

API Developers

Security Engineers

Penetration Testers

All free security tools

Frequently asked questions

This free CORS Checker checks a handful of things. Maced's AI pentest checks thousands.