Free CORS Misconfiguration Tester
Test any URL for dangerous CORS misconfigurations · origin reflection, wildcard-with-credentials, and null-origin acceptance that can leak authenticated data.
Frequently asked
What CORS problems does this find?
It sends requests with crafted Origin headers and inspects the response: reflecting any origin back, allowing '*' together with credentials, accepting a 'null' origin, or reflecting arbitrary origins with Access-Control-Allow-Credentials · all of which can expose authenticated data to malicious sites.
Why can't a browser tool do this itself?
Browsers block JavaScript from setting the Origin header and from reading cross-origin responses, so the request is made server-side from SimplyScan with the chosen Origin, and the raw CORS response headers are reported back to you.
Run a full security scan →