Free CORS Misconfiguration Checker

A permissive Cross-Origin Resource Sharing policy can let any website read your authenticated responses. We send a request with an arbitrary Origin and check whether the server reflects it back, and whether it also allows credentials, the combination that enables cross-origin data theft.

https://

No credit card required • Instant results

Origin Reflection

We detect servers that blindly echo whatever Origin is sent into Access-Control-Allow-Origin, effectively trusting every website.

Credentialed CORS

Reflection combined with Allow-Credentials: true is critical, any site could read responses tied to a logged-in user's session.

Clear Severity

Findings are rated by impact, and a public wildcard (without credentials) is correctly treated as normal, not a false alarm.

What is a CORS misconfiguration?

CORS controls which origins may read responses from your server. The dangerous pattern is a server that reflects the request's Origin and sets Allow-Credentials: true. This lets a malicious site make authenticated requests on a victim's behalf and read the results, exposing private data.

A policy that doesn't reflect arbitrary origins is reported as safe.

Frequently Asked Questions About CORS Misconfiguration

What is a CORS misconfiguration?

Cross-Origin Resource Sharing (CORS) controls which other websites are allowed to read responses from your server. A misconfiguration occurs when the server is too permissive, most dangerously when it reflects whatever Origin a request sends and also sets Access-Control-Allow-Credentials: true. That combination lets any website read responses tied to a logged-in user.

How does this CORS checker test my site?

We send a request carrying an arbitrary, attacker-style Origin header and inspect the response. If the server echoes that Origin back in Access-Control-Allow-Origin, it is reflecting arbitrary origins. We then check whether credentials are also allowed, and rate the finding by severity based on the combination.

Is Access-Control-Allow-Origin: * dangerous?

A bare wildcard on its own is usually fine, it is how public, unauthenticated APIs and assets are meant to be shared, and browsers refuse to combine a wildcard with credentials. That is why we do not flag a plain wildcard as a vulnerability. The dangerous cases are arbitrary-origin reflection, or a wildcard combined with credentials.

What is the real-world risk of a CORS misconfiguration?

If a site reflects arbitrary origins and allows credentials, a malicious page a victim visits can make authenticated requests to the vulnerable site and read the responses, exposing private account data, tokens, or internal API results. It is effectively a cross-origin data-theft channel.

Is the CORS checker free?

Yes, it is free with no registration. For a broader audit covering cookie security, Content-Security-Policy effectiveness, security headers, and SSL/TLS, run a full ScanTower scan from the link below.

Want the Complete Picture?

FREE

This CORS Check is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.