Advertisements

headerup to 320x100 / 728x90

CORS Origin Checker

Test whether origins are allowed by a given Access-Control-Allow-Origin value — wildcard and subdomain aware

Input
Loading editor...
Output

Output will appear here...

Advertisements

content bottomup to 300x250

What is CORS Origin Checker

Last reviewed:

CORS Origin Checker takes an `Access-Control-Allow-Origin` value (or comma-separated list, or `*`) and tests a batch of origins against it. Subdomain wildcards (e.g. `*.example.com`) are supported.

It also flags credentials-incompatible configurations: a wildcard origin cannot be used together with credentialed requests.

Why use it

  • Validate CORS rules before deploying.
  • Triage 'blocked by CORS' errors quickly.
  • Teach CORS behaviour with real examples.
  • Check multi-origin allowlists.
  • Spot credentials/wildcard misconfigurations.

Features

  • Exact origin matching
  • Comma-list + wildcard subdomain
  • Credentials-safe flag
  • Batch test many origins
  • Zero-upload CORS Origin pipeline, nothing touches a server

How to use CORS Origin Checker

  1. Paste allow-origin. Line 1 — the header value.
  2. Paste origins. Lines 2+ — one origin per line.
  3. Run. Each origin gets an ALLOWED / BLOCKED verdict.

Example (before/after)

Input

*.example.com, https://admin.example.org
https://shop.example.com
https://admin.example.org
https://attacker.com

Verdicts

Allow-Origin header value: *.example.com, https://admin.example.org
Credentials-safe: Yes

ALLOWED (wildcard subdomain)        https://shop.example.com
ALLOWED (exact match)               https://admin.example.org
BLOCKED                             https://attacker.com

Common errors

Wildcard + credentials

Browsers block '*' with credentials.

Fix: Use an explicit origin list when cookies or auth are involved.

Trailing slashes

Origins are hostnames, not URLs with paths.

Fix: Remove paths — include scheme + host only.

FAQ

Does it support wildcard subdomains?

Yes — `*.example.com` matches any subdomain.

Does it test credentials-mode?

It flags wildcard + credentials as unsafe.

Is input uploaded?

No — the checker runs client-side.

Does it make real requests?

No — it's a pure rule checker.

Does it handle protocol mismatches?

Yes — https://… and http://… are treated as distinct origins.

Related tools

Pair with HTTP, URL, and networking tools. You can also browse the full Networking & DNS category for more options.

HTTP Header Inspector

Paste response headers to audit HSTS, CSP, CORS, X-Powered-By disclosure, and Set-Cookie flags

URL Parser

Parse a URL into scheme, host, port, path, query parameters, fragment, and origin — fully client-side

User-Agent Parser

Parse a User-Agent string into browser, version, operating system, device type, and bot status

JWT Decoder

Decode and view JWT token payloads

CIDR Calculator

Calculate network, broadcast, usable hosts, subnet mask, and wildcard for any IPv4 CIDR

Base64 Encoder/Decoder

Encode or decode Base64 strings

Well-Known Ports Reference

Searchable list of well-known TCP/UDP ports — filter by port number, service name, or description

Broken Link Checker

Check URLs for broken links

Reading Level Checker

Check reading ease, grade level, sentence length, and complexity for blog posts, emails, docs, and landing page copy.

URL Slug Length and Readability Checker

Check slug length, stop words, readability, and URL cleanliness for SEO-friendly article, category, and landing page paths.

Favicon Checker From URL

Inspect favicon, apple-touch-icon, and manifest links from a live page

HTTP Status Code Checker

Search and learn about HTTP status codes. Find meaning, common causes, and fix solutions for any HTTP response code.