Security check

CORS check: don't leak your API to any site

An overly permissive CORS policy lets attacker sites read your API in the user's name. We check your Access-Control headers and flag the dangerous combinations.

Run a free domain scan All checks β†’
Relates to: OWASP Β· API Security Top 10 ISO 27001 Β· A.8.9 NIS2 Β· art. 21

What we check

We check your Access-Control-Allow-Origin and -Allow-Credentials headers: is origin reflected uncritically, is * used together with credentials, and is a null origin allowed?

Why it matters

CORS controls which other websites may read responses from your API in a logged-in user's session. A wrong policy lets an attacker site exfiltrate user data β€” a common finding in API reviews.

How Security Guru tests it

Common mistakes

  • Reflecting back any Origin with no allowlist
  • Allow-Origin: * with credentials
  • Allowing null origin (easily bypassed)
  • No distinction between public and sensitive endpoints

What you get in the report

  • CORS policy per endpoint with exact headers
  • Dangerous combinations ranked by risk
  • Recommended allowlist-based policy
  • Mapping to OWASP API Security / ISO A.8.9

FAQ

Is * always wrong?

No β€” for fully public, credential-less APIs, * can be fine. The danger is * or origin reflection TOGETHER with credentials/cookies.

Do you test with login?

We test how headers respond to different origins; we don't need your credentials for the CORS check itself.

Does it affect my API?

No β€” it's read-only preflight/origin tests.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan