Free Tool

Free CORS Configuration Checker

Check any website's Cross-Origin Resource Sharing policy in seconds. See whether its Access-Control-Allow-Origin headers are safely scoped or dangerously open.

Free and instant. No account or signup needed.

What this CORS checker tests

Cross-Origin Resource Sharing, or CORS, is the browser rule that decides whether code running on one website is allowed to read responses from another. A site controls this with the Access-Control-Allow-Origin header and a few companions. Get it right and your APIs work for the origins that need them. Get it wrong and you can hand attackers a way to read private, authenticated data from a victim's logged in session.

This checker fetches the live response from the URL you enter and reports three things that decide whether the policy is safe. It shows the allowed origin, whether the server reflects whatever origin the caller sends, and whether it also allows credentials such as cookies. The dangerous combination is a server that reflects the origin and allows credentials, because that lets any website make authenticated requests and read the answers on behalf of your users.

How to fix a weak CORS policy

The safe pattern is an explicit allowlist. Decide exactly which origins need cross-origin access, return only those values in Access-Control-Allow-Origin, and enable credentials only for origins you trust. Avoid reflecting arbitrary origins and avoid pairing a wildcard with credentials. When you are ready to write the configuration, the free CORS header generator produces a safe set of headers you can copy straight into Nginx, Apache, or your app.

Frequently asked questions

What is a CORS checker?

A CORS checker inspects the Access-Control-Allow-Origin and related headers a website returns, then tells you whether the site safely scopes cross-origin access or exposes its responses too broadly. SiteSecurityScore checks this live by scanning the URL you enter.

Why is reflecting the origin with credentials dangerous?

When a server echoes back whatever Origin the browser sends and also sets Access-Control-Allow-Credentials to true, any website can make authenticated requests and read the responses on behalf of a logged in user. That can leak private data. Allowed origins should be an explicit allowlist instead.

Is a wildcard Access-Control-Allow-Origin always bad?

Not always. A wildcard is fine for fully public, non credentialed resources like a public font or open data API. It becomes a problem when the same origin serves private or authenticated data, because it invites any site to read it.

How do I fix a risky CORS policy?

Replace origin reflection or wildcards with a fixed allowlist of the exact origins that need access, and only enable credentials for those trusted origins. Our free CORS header generator builds a safe configuration you can copy into your server.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the CORS headers, and reports what it found in seconds. No account or signup is required.

Related tools

CORS Header GeneratorSecurity Headers CheckerAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan