CORS Policy Inspector

Analyze CORS headers for misconfigurations including wildcard origins, dangerous credential combinations, and overly permissive methods

Enter CORS response headers in "Header-Name: value" format, one per line

What is the CORS Policy Inspector?

The CORS Policy Inspector is a client-side tool that analyzes Cross-Origin Resource Sharing response headers for security weaknesses and misconfigurations. It evaluates Access-Control-Allow-Origin, Allow-Credentials, Allow-Methods, Allow-Headers, Expose-Headers, and Max-Age directives to detect dangerous patterns like wildcard origins combined with credentials.

How to Use

  1. Open browser DevTools and navigate to the Network tab
  2. Make a cross-origin request or find one in the network log
  3. Copy the response headers (specifically the Access-Control-* headers)
  4. Paste them into the input field above
  5. Review findings with severity ratings and follow the recommendations

Example: Dangerous CORS Configuration

A server allowing wildcard origin with credentials — a critical misconfiguration:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH
Access-Control-Expose-Headers: Authorization, Set-Cookie

Example: Secure CORS Configuration

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 3600

Headers Analyzed

  • Access-Control-Allow-Origin — Which origins can make cross-origin requests
  • Access-Control-Allow-Credentials — Whether cookies and auth headers are sent
  • Access-Control-Allow-Methods — Which HTTP methods are permitted
  • Access-Control-Allow-Headers — Which request headers are accepted in preflight
  • Access-Control-Expose-Headers — Which response headers are accessible to scripts
  • Access-Control-Max-Age — How long preflight responses are cached

Security Scoring

Each CORS configuration receives a score from 0 to 100. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Privacy and Security

All analysis happens entirely in your browser using JavaScript. Your CORS headers are never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What CORS headers does this tool analyze?

The CORS Policy Inspector analyzes Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Expose-Headers, and Access-Control-Max-Age. It detects misconfigurations, overly permissive settings, and dangerous header combinations.

Why is wildcard origin with credentials a critical issue?

The CORS specification explicitly forbids combining Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. Browsers will block such responses. However, finding this combination in your headers indicates a severe misconfiguration that could expose your API to credential theft if the browser enforcement were ever bypassed.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (wildcard + credentials) deduct 25 points, High issues (null origin, sensitive exposed headers) deduct 15, Medium issues (wildcard origin, dangerous methods) deduct 8, and Low issues (excessive max-age, credentials enabled) deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

What format should the input be?

Enter CORS response headers in the standard "Header-Name: value" format, one per line. You can paste the full response headers from browser DevTools (Network tab → Response Headers) or just the Access-Control-* headers. HTTP status lines are automatically skipped.

Is my data sent to a server?

No. All analysis happens entirely in your browser using JavaScript. Your CORS headers are never transmitted to any server. No data is stored, logged, or shared.

What is the danger of Access-Control-Allow-Origin: null?

The null origin is used by sandboxed iframes, local file:// pages, and data: URLs. Trusting the null origin allows these contexts to make credentialed requests to your API, potentially leading to data theft. Never whitelist the null origin.

Why are PUT, DELETE, and PATCH flagged as dangerous methods?

These methods allow modifying or deleting server-side resources. Exposing them via CORS means any allowed origin can perform state-changing operations. Only expose methods that are actually required by your cross-origin clients, and always combine with proper authentication.

What is the difference between this tool and the Security Headers Analyzer?

The Security Headers Analyzer checks all HTTP security headers (HSTS, CSP, X-Frame-Options, etc.) at a high level. The CORS Policy Inspector performs deep analysis specifically of Access-Control-* headers, detecting dangerous combinations and evaluating each CORS directive individually.

What is Access-Control-Max-Age and why does a long value matter?

Access-Control-Max-Age tells browsers how long to cache preflight (OPTIONS) responses. A very long cache duration (over 24 hours) means that if you change your CORS policy, clients will not see the update until their cache expires. Keep it at 3600 (1 hour) or 86400 (24 hours) maximum.

Related Tools

Security Headers Analyzer

Analyze HTTP security headers for missing HSTS, CSP, X-Frame-Options, Permissions-Policy, and Referrer-Policy

Security

CSP Inspector

Analyze Content Security Policy directives for security weaknesses and generate hardened CSP recommendations

Security

Environment Security Analyzer

Detect secrets, passwords, API keys, and credentials in .env files with automatic masking and security scoring

Security