Can you check a specific API endpoint?

Yes — paste the full URL including path (e.g., `https://api.example.com/v1/users`). We check the CORS response for that exact path.

What if my API requires auth?

Good — we do not need to authenticate to check CORS headers. CORS is about what the response declares, not what the endpoint returns. You get the same preflight response regardless of auth state.

Free tool

Free CORS Checker

Is your API open to any website? Find out now.

Free. No account. Results in under 60 seconds.

What it checks

Every check, explained

01Access-Control-Allow-Origin — wildcard (*) or specific origin?
02Access-Control-Allow-Credentials — is it on? (danger with wildcard origin)
03Access-Control-Allow-Methods — which HTTP methods are allowed
04Access-Control-Allow-Headers — which custom headers are accepted
05Origin reflection — does the server blindly echo any Origin?

Why it matters

Why you should care

CORS misconfigurations are among the most common API vulnerabilities and also the most misunderstood. A wildcard CORS on a public data API is fine; on an authenticated API it is a CSRF-equivalent. This checker tells you which case you're in.

How it works

What happens when you paste a URL

We send a preflight OPTIONS request and a GET request with various Origin headers. We report what the server returns, including whether it reflects the Origin (a common subtle bug).

FAQ

Frequently asked questions

Can you check a specific API endpoint?: Yes — paste the full URL including path (e.g., `https://api.example.com/v1/users`). We check the CORS response for that exact path.
What if my API requires auth?: Good — we do not need to authenticate to check CORS headers. CORS is about what the response declares, not what the endpoint returns. You get the same preflight response regardless of auth state.

Fix guides

If this check fails, here is what to do

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

CORS credentials misconfiguration

Setting both Allow-Origin: * and Allow-Credentials: true is a dangerous misconfiguration. Here is why browsers block it and how to fix it correctly.

More free tools

Related checkers

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Glossary

Learn the concepts

Cross-Origin Resource Sharing

CORS is a browser mechanism that controls which websites can call your API. Misconfigurations can open your app to cross-site attacks.

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.