API CORS Check

developer

GET/v1/domain/api-cors

Tests and analyzes CORS (Cross-Origin Resource Sharing) configuration. Identifies permissive configurations that could lead to security vulnerabilities.

What It Does

Tests CORS configuration by sending OPTIONS requests with multiple Origin headers: a standard domain (example.com), a malicious domain (evil.attacker.com to detect origin reflection), and `null` (to detect null origin acceptance). Analyzes Access-Control-Allow-Origin, Access-Control-Allow-Credentials, and other CORS headers. Identifies overly permissive configurations like wildcard origins with credentials, origin reflection, and null origin acceptance.

Why It's Useful

Misconfigured CORS is a common security vulnerability (per OWASP Web Security Testing Guide) that can allow unauthorized cross-origin access. Testing CORS configuration helps identify potential data exposure risks.

Use Cases

Security Engineer

Security Audit

Audit API CORS configuration for overly permissive settings.

Find CORS misconfigurations before attackers exploit them.

Backend Developer

API Development

Verify CORS is properly configured for expected client origins.

Ensure CORS settings match application requirements.

Penetration Tester

Penetration Testing

Test for CORS vulnerabilities during web application assessments.

Identify exploitable CORS configurations.

Parameters

Name	Type	Required	Description
`domain`	string	Required	The domain to test CORS configuration forExample: `api.example.com`

Response Fields

Field	Type	Description
`domain`	string	The queried domain
`corsEnabled`	boolean	Whether CORS headers are present
`isWildcard`	boolean	Whether Access-Control-Allow-Origin is wildcard (*)
`configuration`	object	CORS config (allowOrigin, allowMethods, allowHeaders, allowCredentials, maxAge, exposeHeaders)
`security`	object	Security assessment (isPermissive, credentialsWithWildcard, reflectsOrigin, allowsNullOrigin)
`recommendations`	array	CORS security improvement suggestions

Code Examples

cURL

curl "https://api.edgedns.dev/v1/domain/api-cors" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d "domain=api.example.com"

JavaScript

const response = await fetch(
  'https://api.edgedns.dev/v1/domain/api-cors?domain=api.example.com',
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
    }
  }
);

const data = await response.json();
console.log(data);

Python

import requests

response = requests.get(
    'https://api.edgedns.dev/v1/domain/api-cors',
    headers={'Authorization': 'Bearer YOUR_API_KEY'},
    params={
    'domain': 'api.example.com'
    }
)

data = response.json()
print(data)

Read the full API CORS Check guide

Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.

Read the guide →

Related Endpoints

Security Headers

Analyze HTTP security headers, score, and compliance

OpenAPI Detection

Find OpenAPI/Swagger specifications

External References

Learn more about the standards and protocols behind this endpoint.

MDN Web Technologies OpenAPI Specification

Try This Endpoint

Test the API CORS Check endpoint live in the playground.

Open in Playground Get API Key