An overly permissive CORS policy lets attacker sites read your API in the user's name. We check your Access-Control headers and flag the dangerous combinations.
Run a free domain scan All checks βWe check your Access-Control-Allow-Origin and -Allow-Credentials headers: is origin reflected uncritically, is * used together with credentials, and is a null origin allowed?
CORS controls which other websites may read responses from your API in a logged-in user's session. A wrong policy lets an attacker site exfiltrate user data β a common finding in API reviews.
* + Allow-Credentials: true (invalid but dangerous)null originAllow-Origin: * with credentialsnull origin (easily bypassed)Is * always wrong?
No β for fully public, credential-less APIs, * can be fine. The danger is * or origin reflection TOGETHER with credentials/cookies.
Do you test with login?
We test how headers respond to different origins; we don't need your credentials for the CORS check itself.
Does it affect my API?
No β it's read-only preflight/origin tests.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan