CORS Tester
Test any URL for CORS misconfigurations. Spots Origin reflection, null origin acceptance, wildcard-with-credentials, and preflight failures — the CORS mistakes that actually cause breaches.
Frequently Asked Questions
What does this CORS tester actually check?
Four probes to the URL: a GET with a trusted origin, a GET with a simulated attacker origin to detect reflection, a GET with Origin: null to detect null-origin acceptance, and an OPTIONS preflight for PUT to verify preflight handling. Then it analyzes response headers for known misconfigurations.
What's the most dangerous CORS misconfiguration?
Origin reflection WITH Access-Control-Allow-Credentials: true. Any website can make authenticated requests on behalf of your logged-in users and read responses. Direct cross-site data theft vector — fix immediately by using an allowlist of origins.
Why is accepting Origin: null bad?
Attackers can trigger cross-origin requests with Origin: null by embedding your site in a sandboxed iframe they control. Any server that accepts null effectively accepts requests from anywhere. Never whitelist null.
Can I use Access-Control-Allow-Origin: * safely?
Only for genuinely public APIs with no authentication (CDNs, open datasets, package registries). Modern browsers refuse to combine wildcard with Access-Control-Allow-Credentials: true, so credentialed requests fail entirely.
What's the Vary: Origin header for?
When your server sets a dynamic Access-Control-Allow-Origin, add Vary: Origin so caches don't serve a response from Origin A to a request from Origin B. Without it, CDNs can break CORS or accidentally expose data.
More Free Tools
View all 13 toolsCheck SSL certificate validity and TLS security
Check SPF, DMARC, and MX records
Test password strength (100% client-side)
Check if your email was exposed in breaches
Your privacy matters. We don't store any data you submit. Learn more