Search DevFox

Search tools and pages.

CORS Origin Checker

Passive Access-Control-Allow-Origin matcher — paste a header value plus a list of origins to confirm wildcard, scheme, and subdomain rules

Input
Loading editor...
Output

Output will appear here...

Advertisements

content bottomup to 300x250

What is CORS Origin Checker

Written by Giorgos Kostas. Last reviewed:

CORS Origin Checker takes an `Access-Control-Allow-Origin` value (or comma-separated list, or `*`) and tests a batch of origins against it. Subdomain wildcards (e.g. `*.example.com`) are supported.

It also flags credentials-incompatible configurations: a wildcard origin cannot be used together with credentialed requests.

Why use it

  • Validate CORS rules before deploying.
  • Triage 'blocked by CORS' errors quickly.
  • Teach CORS behaviour with real examples.
  • Check multi-origin allowlists.
  • Spot credentials/wildcard misconfigurations.

Features

  • Exact origin matching
  • Comma-list + wildcard subdomain
  • Credentials-safe flag
  • Batch test many origins
  • Zero-upload CORS Origin pipeline, nothing touches a server

How to use CORS Origin Checker

  1. Paste allow-origin. Line 1 — the header value.
  2. Paste origins. Lines 2+ — one origin per line.
  3. Run. Each origin gets an ALLOWED / BLOCKED verdict.

Example (before/after)

Input

*.example.com, https://admin.example.org
https://shop.example.com
https://admin.example.org
https://attacker.com

Verdicts

Allow-Origin header value: *.example.com, https://admin.example.org
Credentials-safe: Yes

ALLOWED (wildcard subdomain)        https://shop.example.com
ALLOWED (exact match)               https://admin.example.org
BLOCKED                             https://attacker.com

Common errors

Wildcard + credentials

Browsers block '*' with credentials.

Fix: Use an explicit origin list when cookies or auth are involved.

Trailing slashes

Origins are hostnames, not URLs with paths.

Fix: Remove paths — include scheme + host only.

FAQ

Does it support wildcard subdomains?

Yes — `*.example.com` matches any subdomain.

Does it test credentials-mode?

It flags wildcard + credentials as unsafe.

Is input uploaded?

No — the checker runs client-side.

Does it make real requests?

No — it's a pure rule checker.

Does it handle protocol mismatches?

Yes — https://… and http://… are treated as distinct origins.

Related tools

Pair with HTTP, URL, and networking tools. You can also browse the full Security & Web Hardening category for more options.

HTTP Header Inspector

Paste response headers to audit HSTS, CSP, CORS, X-Powered-By disclosure, and Set-Cookie flags

URL Parser

Parse a URL into scheme, host, port, path, query parameters, fragment, and origin — fully client-side

User-Agent Parser

Parse a User-Agent string into browser, version, operating system, device type, and bot status

JWT Debugger

Decode JWTs, verify HMAC, RSA, and EC signatures (paste secret/PEM or fetch JWKS), inspect claims, and visualize the exp/nbf/iat timeline

CIDR Calculator

Calculate network, broadcast, usable hosts, subnet mask, and wildcard for any IPv4 CIDR

Base64 Encoder/Decoder

Encode or decode Base64 strings

CORS Tester

Send a real OPTIONS preflight and the actual request from a server proxy and inspect the per-rule CORS verdict for any origin

SSL Chain Inspector

Probe a host:port and render the full TLS certificate chain with subject, issuer, SAN, key, signature, fingerprints, and days-until-expiry

CSP Policy Builder

Build a Content Security Policy header from per-directive cards with chip-style sources, presets, and a live header + meta-tag preview