CORS Policy Risk Checker

Endpoint label:

Use the service or route name you want shown in exports.

Observed request Origin:

Examples: https://app.example.com, https://evil.example, or null.

Approved origins:

Keep this to real browser origins. Use one origin per line for clear exports.

Response headers:

Include Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Vary, methods, allowed headers, exposed headers, and max-age when present.

Paste headers only; request and response bodies are not needed.

Credentialed requests expected

Turn this on when browser requests include cookies, HTTP auth, client certificates, or credentialed fetch/XHR.

Response may contain sensitive data

Turn this off only for intentionally public, read-only resources.

Input review

{{ warning }}

Preflight max-age review limit:

A shorter cache keeps CORS policy changes visible sooner during incident response.

sec

Require Vary: Origin for specific ACAO

Leave on for reflected or per-origin responses that can pass through shared caches.

Treat Private Network Access as sensitive

Flags Access-Control-Allow-Private-Network when the origin policy is broad or unproven.

Field	Value	Signal	Copy
{{ row.field }}	{{ row.value }}	{{ row.signal }}

Severity	Signal	Evidence	Recommendation	Copy
{{ row.severityLabel }}	{{ row.signal }}	{{ row.evidence }}	{{ row.recommendation }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Cross-Origin Resource Sharing, usually shortened to CORS, is the browser rule system that decides whether JavaScript from one origin may read a response from another origin. The central question is narrow but important: when a browser sends an Origin header, does the response name a trusted origin, allow every origin, or fail to name a readable origin at all?

CORS does not authenticate users, replace CSRF defenses, or stop direct server-to-server traffic. It controls browser read access. That distinction matters for APIs, partner dashboards, admin consoles, and single-page applications because a broad CORS response can let an unrelated website read data that the server was willing to return to the browser.

Diagram showing an observed origin, approved origin list, CORS response headers, risk rules, and a 0 to 100 risk score.

Risk rises when the response is readable by origins that were not meant to use it, when credentials are allowed with a loose origin rule, when state-changing methods are broadly available, or when sensitive headers become visible to browser JavaScript. A missing or weak CORS header can also be intentional for a route that should not be read cross-origin.

A useful CORS review therefore combines browser protocol rules with deployment intent. The same wildcard can be reasonable for a public static resource and unacceptable for a credentialed account API. The same exact origin can be correct when it matches a maintained allowlist and suspicious when it merely reflects whatever origin was sent in the request.

Technical Details:

The browser starts a CORS decision with the request origin and the response's access-control headers. Access-Control-Allow-Origin must be either one serialized origin, the wildcard *, or the special value null. When credentials are part of the request, a wildcard origin is not enough for the browser to expose the response to JavaScript.

Exact origins carry their own cache concern. If a server chooses an origin dynamically from an allowlist, shared caches need to know that the response can differ by request origin. Vary: Origin is the usual signal for that case. Without it, a cache may reuse a response whose readable origin was chosen for a different caller.

The checker uses rule-based findings instead of trying to prove exploitability. Each finding records a severity, the header evidence, and a recommendation. The numeric score is a capped sum of finding weights, so several medium or high findings can produce a Critical band even when only one finding would not.

risk score = \min (100, \sum finding weight)

Core CORS risk rules used by the checker
Signal	Rule used in review	Typical recommendation
Origin trust	`Access-Control-Allow-Origin` is missing, invalid, repeated, wildcard, `null`, reflected from an unapproved request origin, or outside the approved origin list.	Return one approved origin for sensitive routes, or omit CORS intentionally for routes that should not be read cross-origin.
Credentials	`Access-Control-Allow-Credentials: true` appears with a wildcard origin, with no usable exact origin, or on a route marked as credentialed.	Use a server-side origin allowlist and send the credentials header only after a trusted origin match.
Cache behavior	A specific origin is returned without `Vary: Origin`, or `Access-Control-Max-Age` exceeds the chosen review limit while other risks exist.	Add `Vary: Origin` for dynamic origin responses and shorten preflight caching while policy is being corrected.
Methods and request headers	Wildcard methods, `PUT`, `PATCH`, `DELETE`, wildcard request headers, or authorization-like request headers appear while origin trust is broad or unproven.	List only the methods and request headers that approved browser clients actually need.
Readable response headers	`Access-Control-Expose-Headers` exposes `authorization`, session tokens, API keys, cookies, or similar headers.	Keep tokens and session artifacts out of headers readable by browser JavaScript.
Private network	`Access-Control-Allow-Private-Network: true` is present while origin trust is broad or unproven and private-network sensitivity is enabled.	Allow private-network browser access only from tightly approved administrative origins.

Severity weights and risk score bands
Finding severity or band	Boundary or weight	How to read it
Critical finding	`35`	Credentialed wildcard, trusted `null` origin, or reflected unapproved origin on sensitive or credentialed traffic.
High finding	`22`	Broad origin trust combined with state-changing methods, sensitive request headers, exposed secrets, or private-network grants.
Medium finding	`12`	Missing `Vary: Origin`, invalid or multiple ACAO values, long preflight caching, or wildcard use that needs justification.
Low finding	`5`	Missing evidence or weak combinations that deserve cleanup before review.
Risk band	`65+`, `40+`, `20+`, below `20`	Total score becomes Critical, High, Moderate, or Low. The Risk Register still shows the individual finding severities.

The input parser is intentionally header-focused. Status lines are skipped, blank lines are ignored, and only name: value lines become header evidence. That keeps response bodies, request bodies, and unrelated terminal output out of the review.

Everyday Use & Decision Guide:

Start with the response that represents the route under review. For CORS bugs, that is often an OPTIONS preflight response and the actual response from the same route. Paste the headers into Response headers, name the route in Endpoint label, and enter the browser origin you tested in Observed request Origin.

Put the approved production origins in Approved origins, one per line. Exact origins are strongest. Patterns such as https://*.example.com are useful for review, but they should match real policy intent rather than become a substitute for knowing which applications are trusted.

Leave Credentialed requests expected on for routes that use cookies, HTTP authentication, client certificates, or credentialed fetch/XHR.
Leave Response may contain sensitive data on for account, admin, billing, personal, partner, or internal API responses.
Use Normalize headers after pasting from DevTools, curl -i, or a proxy trace when repeated whitespace makes the sample hard to read.
Keep Require Vary: Origin for specific ACAO on for reflected or per-origin responses behind a CDN, reverse proxy, or shared cache.
Lower Preflight max-age review limit during incident cleanup so stale browser preflight results do not hide policy changes for too long.
Keep Treat Private Network Access as sensitive on for admin panels, routers, device APIs, internal dashboards, and private address space.

The safest reading path is summary, then Header Snapshot, then Risk Register. The summary gives the total score, parsed header count, credential badge, origin badge, and approved-origin cue. Header Snapshot shows the normalized values that fed the review. Risk Register is where the actual decisions live because each row includes the signal, evidence, and recommendation.

Do not treat a Low score as approval. It means the pasted headers did not trigger the checked risk signals under the current settings. You still need to confirm the server-side allowlist, the route's data sensitivity, authentication, CSRF protection, and the response that real users receive.

Step-by-Step Guide:

Review one endpoint and one observed origin at a time so the score, register, and chart describe the same browser access decision.

Enter Endpoint label with the route or service name you want shown in the summary, such as partner-api /v1/account.
Enter Observed request Origin. Use the exact browser origin from the request, such as https://app.example.com, https://evil.example, or null.
Add trusted browser origins in Approved origins. If this field is empty, Input review warns that reflected or specific origins cannot be checked against an allowlist.
Paste raw response headers into Response headers. If Input review says lines were ignored, fix missing colons or remove non-header text before relying on the result.
Set Credentialed requests expected and Response may contain sensitive data to match the route. These switches change how wildcard, reflected, and null origins are judged.
Open Advanced when cache or private-network policy matters. Adjust Preflight max-age review limit, Require Vary: Origin for specific ACAO, and Treat Private Network Access as sensitive.
Read the summary. A line such as Critical - 100/100 means the combined finding weights reached the top band; Low - 0/100 means only the informational baseline row remained.
Open Risk Register and act on the highest severity rows first. Use the Evidence column to confirm the header value and the Recommendation column as the review note.
Open CORS Exposure Map to see which categories contributed score. A tall Credentials or Origin trust bar should send you back to ACAO, ACAC, and the approved origin list.

A clean handoff has no Critical or High findings, a Header Snapshot that matches the intended route, and approved origins that match the real application list rather than a convenient test origin.

Interpreting Results:

The most important output is the first actionable row in Risk Register. The total score helps triage, but a single row such as Wildcard origin with credentials, Unapproved origin reflected, or Sensitive headers exposed usually tells you what to fix before release review.

CORS result cues and recommended follow-up checks
Visible cue	Best first reading	What to verify next
ACAO * with ACAC true	The response combines a wildcard origin with credential sharing.	Return an exact approved origin and keep credentials limited to trusted browser clients.
Origin unproven	The observed request origin was not confirmed against the approved origin list.	Fix `Approved origins` if the list is incomplete, or remove reflection for that origin.
Vary: Origin missing	A specific ACAO value appears without the cache variance signal required by the review setting.	Add `Vary: Origin` when a response can name different origins for different requests.
Sensitive request headers accepted broadly	Authorization or CSRF-related headers are allowed while origin trust is broad or unproven.	Restrict allowed request headers to approved origins that truly need browser access.
No baseline CORS risk signal	The pasted sample passed the checker's allowlist, credential, Vary, method, exposure, cache, and private-network checks.	Confirm the same headers on the deployed route, both preflight and actual response, before closing the review.

Be careful with absence. Missing Access-Control-Allow-Origin can be correct when a route should not be readable cross-origin. It becomes a review finding here because the route was submitted for CORS review and may have been expected to allow browser access.

The chart is a quick category view, not a replacement for header evidence. Use it to spot whether the problem is mainly origin trust, credentials, methods, cache behavior, exposed headers, or private network access, then make the change named in the Risk Register.

Worked Examples:

Approved credentialed API response

A route labeled partner-api /v1/account is tested from https://app.example.com, with approved origins set to https://app.example.com and https://admin.example.com. The response includes Access-Control-Allow-Origin: https://app.example.com, Access-Control-Allow-Credentials: true, Access-Control-Allow-Methods: GET, POST, OPTIONS, Access-Control-Max-Age: 600, and Vary: Origin. The summary reads Low - 0/100, Header Snapshot marks the origin as Approved, and Risk Register shows No baseline CORS risk signal.

Wildcard policy on a sensitive route

The risky sample uses Access-Control-Allow-Origin: *, Access-Control-Allow-Credentials: true, state-changing methods, authorization-related request headers, exposed authorization/session headers, Access-Control-Allow-Private-Network: true, and Access-Control-Max-Age: 86400. With credentialed requests and sensitive response enabled, the summary reaches Critical - 100/100. Risk Register includes Wildcard origin with credentials, State-changing methods broadly allowed, Sensitive request headers accepted broadly, Sensitive headers exposed, Risky preflight cache duration, and Private Network Access allowed broadly.

Unapproved origin reflection

An incident review tests Observed request Origin as https://staging.example.net while Approved origins lists only production app and admin origins. If the response returns Access-Control-Allow-Origin: https://staging.example.net with credentials enabled, the Risk Register flags Unapproved origin reflected. If Vary: Origin is also missing, the cache finding appears beside the origin trust finding because an origin-specific response may pass through shared caching.

Header paste cleanup

A copied terminal excerpt such as Access-Control-Allow-Origin https://app.example.com is not a valid name: value header line, so Input review reports an ignored line and Header Snapshot may show ACAO as missing. Add the colon, remove unrelated response-body text, use Normalize headers, and check Header Snapshot again before using the Risk Register in a handoff.

Responsible Use Note:

Response headers can expose internal service names, partner routes, private origins, auth patterns, cache settings, and security-control gaps. Paste the smallest useful header sample and remove unrelated tokens, IDs, or hostnames when the review does not need them.

The assessment runs in the browser session and does not need request or response bodies. Copied tables, downloaded JSON, chart images, and shareable URL state can still contain sensitive operational evidence, so handle those outputs under the same rules as the source headers.

FAQ:

Can CORS replace authentication?

No. CORS controls whether browser JavaScript may read a cross-origin response. The endpoint still needs its own authentication, authorization, CSRF protection where relevant, and server-side origin allowlist logic.

Why is wildcard ACAO flagged with credentials?

Credentialed browser requests require a stricter response. If Access-Control-Allow-Credentials is true, the response should name one trusted origin instead of *. The checker reports this as Wildcard origin with credentials.

Why does Vary: Origin matter?

When ACAO changes based on the request Origin, Vary: Origin tells caches that the response can differ for different origins. With Require Vary: Origin for specific ACAO enabled, a specific ACAO without that token becomes a cache behavior finding.

Why did the checker ignore some lines?

Only Header-Name: value lines become header evidence. HTTP status lines, blank lines, and malformed lines are skipped. Fix missing colons or remove pasted body text when Input review reports ignored lines.

Does a low score prove the endpoint is safe?

No. Low - 0/100 means the pasted sample matched the checked CORS rules under the current settings. It does not test business authorization, deployed route coverage, CSRF controls, or every response variant.

Does the checker need response bodies?

No. Paste response headers only. Request bodies, response bodies, cookies, bearer tokens, and user data are not needed for the CORS risk review.

Glossary:

Origin: The scheme, host, and port that identify where browser JavaScript is running, such as https://app.example.com.
ACAO: Short for Access-Control-Allow-Origin, the response header that names which origin may read the response.
ACAC: Short for Access-Control-Allow-Credentials, the response header that opts into exposing credentialed responses when other CORS rules pass.
Vary: Origin: A cache signal that tells shared caches the response can change based on the request Origin.
Preflight: An OPTIONS request browsers send before some cross-origin requests to ask which methods and headers are allowed.
Exposed headers: Response headers named by Access-Control-Expose-Headers so browser JavaScript may read them.
Private Network Access: A browser protection that adds preflight checks before less-private websites access more-private network resources.

References:

Fetch Standard, CORS protocol and credentials, WHATWG.
Cross-Origin Resource Sharing (CORS), MDN Web Docs.
Access-Control-Allow-Origin header, MDN Web Docs, November 21, 2025.
Private Network Access: introducing preflights, Chrome for Developers, July 7, 2022.