CORS Checker

Check Cross-Origin Resource Sharing (CORS) configuration for any URL. Inspect Access-Control-* response headers, run an optional preflight (OPTIONS) request with a custom Origin/method/headers, and detect common misconfigurations such as wildcard + credentials, missing Vary: Origin, or overly broad allow-headers.

Loading…

About CORS Checker

Paste an API or page URL and verify whether browsers will allow cross-origin requests. This tool analyzes CORS response headers, can run a realistic preflight (OPTIONS) check, and highlights risky or broken configurations (like "*" with credentials, missing Vary: Origin, or weak allow-methods/allow-headers).

Features

CORS header inspection for any public URL (Access-Control-* and related headers).
Optional preflight simulation (OPTIONS) with custom Origin, request method, and request headers.
Follow redirects (up to 10) so you validate the final endpoint browsers actually hit.
Raw headers view for full transparency and debugging.
Findings + score card with "only problems" filtering for fast triage.
Vary analysis to detect missing Vary: Origin and other cache-related CORS pitfalls.
Export results as JSON and PDF reports for audits, tickets, and documentation.
Built-in recommendations for common issues: wildcard+credentials, reflecting Origin, null Origin, missing allow-methods/allow-headers, missing max-age, and overbroad allow-headers.

🧭 How to use for cors-checker

Enter the target URL

Paste the endpoint you want to test (e.g., https://api.example.com/resource).

Set the Origin you're testing from

Enter the Origin of your frontend app (scheme + host), e.g., https://app.example.com. This is the value browsers send in the Origin header.

Choose a check mode

Use Auto (recommended) to analyze both the response headers and preflight behavior. Use Simple request if you specifically want a non-preflight scenario, or Preflight only to run OPTIONS checks.

Configure preflight details (if applicable)

Enable "Run Preflight (OPTIONS)" and set Request Method plus Request Headers (comma-separated) to simulate real browser preflight behavior (e.g., authorization, content-type). Toggle "Consider credentials" if your use case includes cookies or auth headers.

Review findings and export

Check the findings/score card and the CORS analysis details. Turn on "Show Raw Headers" when debugging. Export JSON/PDF for sharing or storing in audits.

Technical specs

Request model

The tool inspects CORS headers for a target URL and can optionally perform a preflight (OPTIONS) request using the supplied Origin, method, and requested headers. Redirect following is supported.

Setting	Behavior	Default
Check Mode	Auto, Simple request, or Preflight only	Auto
Run Preflight (OPTIONS)	If enabled, performs an OPTIONS preflight simulation	Enabled
Origin	Origin header value used for analysis/preflight	https://example.com
Request Method	Access-Control-Request-Method value for preflight	GET
Request Headers	Access-Control-Request-Headers (comma-separated) for preflight	Empty
Follow Redirects	Follows redirect chain to the final URL	Enabled
Max Redirects	Redirect cap to prevent loops	10 (range 0–20)
Timeout	Request timeout limit	15000 ms
User-Agent	Identifies the request user agent	Encode64Bot/1.0 (+https://encode64.com)
Private networks	Blocks access to private network ranges for safety	Disabled (private networks not allowed)

Headers analyzed (core CORS set)

The analyzer focuses on standard CORS response and request headers used by browsers and preflight checks.

Header	Purpose
Access-Control-Allow-Origin	Which Origin(s) are allowed
Access-Control-Allow-Credentials	Whether cookies/credentials are allowed (requires non-wildcard origin)
Access-Control-Allow-Methods	Methods allowed for cross-origin requests (important for preflight)
Access-Control-Allow-Headers	Headers allowed (important for Authorization and custom headers)
Access-Control-Expose-Headers	Which headers are readable by browser JS
Access-Control-Max-Age	How long preflight can be cached by the browser
Vary	Cache key variation (e.g., Vary: Origin) to prevent cache poisoning/mixing
Origin / Access-Control-Request-*	Used to simulate preflight behavior

Heuristics (common CORS pitfalls flagged)

Findings are based on practical and security-minded checks to detect broken or risky CORS setups.

Check	Why it matters
Wildcard + credentials	Access-Control-Allow-Origin: * cannot be used with credentials; browsers will block or behavior is unsafe
Missing Vary: Origin	If responses vary per Origin but aren't cached correctly, shared caches can mix responses across sites
Reflecting Origin	Blindly echoing Origin can unintentionally allow untrusted origins
Null Origin warnings	Origin: null can appear in sandboxed iframes or file contexts; allowing it is often risky
Missing Allow-Methods / Allow-Headers	Preflight may fail if server doesn't explicitly permit method/headers
Overbroad Allow-Headers	Allowing too many headers can expand attack surface
Missing Max-Age	Preflight may run too frequently, adding latency

CORS is a browser enforcement mechanism. Servers can still be reachable cross-origin via non-browser clients; treat CORS as part of a broader security posture, not the only control.

Command line

Use these commands to reproduce CORS and preflight behavior from your terminal. They're helpful for debugging and verifying what the tool reports.

macOS / Linux

Check CORS headers for a normal request (simulate a browser Origin)

curl -i -H "Origin: https://example.com" https://api.example.com/resource

Look for Access-Control-Allow-Origin, Access-Control-Allow-Credentials, and Vary.

Run a preflight OPTIONS request (method + headers)

curl -i -X OPTIONS -H "Origin: https://app.example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: authorization, content-type" https://api.example.com/private

Preflight must return the correct Access-Control-Allow-Methods and Access-Control-Allow-Headers for the browser to proceed.

Follow redirects while checking headers

curl -iL -H "Origin: https://example.com" https://api.example.com

Useful when endpoints redirect to a different host that has different CORS rules.

Windows (PowerShell)

Inspect response headers with an Origin header

$r = Invoke-WebRequest -Uri https://api.example.com/resource -Headers @{ Origin = "https://example.com" }; $r.Headers

Displays Access-Control-* headers if they are present.

If your frontend uses cookies or auth, avoid permissive CORS. Prefer an explicit allowlist of trusted origins and include Vary: Origin when responses differ by origin.

Use cases

Debug a frontend "CORS blocked" browser error

When fetch/XHR fails with a CORS error, verify whether the server returns the required Access-Control-* headers for your Origin and request type.

Confirm Access-Control-Allow-Origin matches your app origin
If using cookies/auth, check Access-Control-Allow-Credentials is true (and origin is not wildcard)
Ensure Vary: Origin is present when allowing multiple origins

Validate preflight for Authorization / custom headers

Most authenticated API calls trigger preflight due to Authorization or non-simple content types. This tool helps ensure OPTIONS responses allow the required method and headers.

Verify Access-Control-Allow-Methods includes POST/PUT/PATCH/DELETE as needed
Verify Access-Control-Allow-Headers includes authorization, content-type, and required X-* headers
Catch missing allow-methods/allow-headers before deploying

Security review of CORS policy

CORS misconfigurations can unintentionally expose private APIs to malicious sites (especially with credentials). Use the findings to catch high-risk patterns.

Detect wildcard origin combined with credentials
Detect reflecting origin patterns that allow arbitrary sites
Flag allowing Origin: null when not intended

Improve performance by caching preflight

Preflight requests add round-trips and latency. Correct Max-Age can reduce repeated preflight checks for stable APIs.

Verify Access-Control-Max-Age is present when appropriate
Reduce repeated OPTIONS calls for frequent API traffic

❓ Frequently Asked Questions

❓What is CORS in simple terms?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether a webpage from one origin (scheme + host + port) can read responses from another origin. It relies on specific Access-Control-* response headers.

❓When does a browser send a preflight (OPTIONS) request?

A preflight is sent when the request is not "simple", for example when using methods like POST with certain content types or when sending headers like Authorization or custom X-* headers. The browser checks permissions via OPTIONS before sending the real request.

❓Why is "Access-Control-Allow-Origin: *" dangerous with credentials?

Browsers require an explicit origin when credentials are involved. Using wildcard with credentials is invalid for credentialed requests and indicates a risky configuration. Prefer an explicit allowlist of trusted origins.

❓Why do I need Vary: Origin?

If your server returns different Access-Control-Allow-Origin values depending on the request Origin, caches must vary by Origin to avoid serving a response intended for one site to another. Vary: Origin helps prevent cache mixing and related security issues.

❓Can CORS protect my API from non-browser clients?

No. CORS is enforced by browsers. Scripts running outside a browser (servers, curl, mobile apps) can call your API regardless of CORS. Use authentication, authorization, and rate limiting for real access control.

❓What should I put in "Request Headers" when testing preflight?

List the headers your frontend will send, comma-separated (e.g., authorization, content-type, x-request-id). This simulates Access-Control-Request-Headers and checks if the server permits them.

❓Is it safe to paste URLs here?

The tool makes server-side requests to the provided URL and blocks private-network targets. Avoid including secrets in URLs (like tokens in query strings) and prefer public endpoints you trust.