API CORS Check
developer/v1/domain/api-corsTests and analyzes CORS (Cross-Origin Resource Sharing) configuration. Catches the OWASP/PortSwigger-grade CORS bugs that simple wildcard checks miss: missing Vary: Origin (cross-origin cache poisoning), allow-list bypass via prefix/suffix domain matching, origin reflection, and null-origin acceptance.
What It Does
Sends three parallel OPTIONS preflights with different Origin headers (example.com, evil.attacker.com, null). If the preflights return no CORS headers, falls back to a GET probe — many backends spec-violate by only attaching CORS headers on real requests, not preflights. When origin reflection is detected, runs two additional probes (`<domain>.attacker.com` and `attacker.com.<domain>`) to catch prefix/suffix allow-list bypasses. Always checks for `Vary: Origin` when the server uses a non-wildcard origin — its absence is a CRITICAL finding per MDN and PortSwigger (browsers can cache responses meant for origin A and serve them to origin B).
Why It's Useful
Misconfigured CORS is a common security vulnerability (per OWASP Web Security Testing Guide) that can allow unauthorized cross-origin access. Testing CORS configuration helps identify potential data exposure risks.
Use Cases
Security Audit
Audit API CORS configuration for overly permissive settings.
Find CORS misconfigurations before attackers exploit them.
API Development
Verify CORS is properly configured for expected client origins.
Ensure CORS settings match application requirements.
Penetration Testing
Test for CORS vulnerabilities during web application assessments.
Identify exploitable CORS configurations.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | Domain or full URL — accepts `example.com` or `https://example.com/path`.Example: https://api.example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain (bare hostname). |
url | string | Full URL that was fetched, echoing the protocol used in the request. |
corsEnabled | boolean | Whether CORS headers are present |
detectionMethod | string | "preflight" when OPTIONS returned CORS headers, "simple-request" when the GET-fallback probe found them, null when CORS is disabled |
isWildcard | boolean | Whether Access-Control-Allow-Origin is wildcard (*) |
configuration | object | CORS config: allowOrigin, allowMethods, allowHeaders, allowCredentials, maxAge, exposeHeaders, AND varyOriginPresent (whether the response sets Vary: Origin) |
security | object | Security assessment: isPermissive, credentialsWithWildcard, reflectsOrigin, allowsNullOrigin, missingVaryOrigin (true when dynamic origin allow-list is used WITHOUT Vary: Origin — cache-poisoning risk), and allowListBypass: { prefix: boolean, suffix: boolean } (true when an attacker-controlled domain matching a prefix/suffix pattern was accepted) |
recommendations | array | CORS security improvement suggestions — CRITICAL severity flagged for missingVaryOrigin and allowListBypass findings |
Code Examples
curl "https://api.edgedns.dev/v1/domain/api-cors" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=https://api.example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/api-cors?domain=https%3A%2F%2Fapi.example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/api-cors',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'https://api.example.com'
}
)
data = response.json()
print(data)Read the full API CORS Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the API CORS Check endpoint live in the playground.