Test how your server responds to cross-origin requests. Detect wildcard CORS and dangerous credential combinations.
This tool sends a request with Origin: https://evil.example.com and inspects Access-Control-Allow-Origin and Access-Control-Allow-Credentials response headers.
The most dangerous combination is ACAO: * with ACAC: true — this allows any site to make authenticated requests on behalf of your users.
Want a full security audit across 18+ checks? Run a full site scan →