Check which cross-origin permissions a URL grants for a given origin
Sends a real request to any URL you provide, attaches an Origin header, and reads back all six standard cross-origin permission headers the server returns. Tells you whether cross-origin requests are enabled at all, whether your specific origin is permitted, and shows you every permission value exactly as the server sent it. Perfect for figuring out why a browser is blocking a request, confirming a freshly deployed service is configured correctly, or auditing whether a public API allows credentialed cross-origin calls.
https://cors-header-checker.underscoredone.com/check$0.01 per request — pay via x402/USDC. No account needed.
POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.
| Name | Type | Required | Description |
|---|---|---|---|
url | string | yes | The full web address of the endpoint you want to check — must start with http:// or https://. |
origin | string/null | no | The website address you want to test cross-origin access from, for example https://myapp.com. Defaults to https://example.com if you leave it out. |
{
"url": "https://api.github.com",
"origin": "https://myapp.com"
}{
"url": "https://api.github.com"
}{
"url": "not-a-url",
"origin": "https://myapp.com"
}{
"url": "https://httpbin.org/get",
"origin": "https://a-very-long-subdomain-name.some-enterprise-domain.internal.example.com"
}{
"api_version": "1.0.0",
"url": "https://api.github.com",
"origin_tested": "https://myapp.com",
"status": 200,
"cors_enabled": true,
"origin_allowed": false,
"headers": {
"access-control-allow-origin": "https://github.com",
"access-control-allow-methods": null,
"access-control-allow-headers": null,
"access-control-allow-credentials": null,
"access-control-expose-headers": "ETag, Link, Location",
"access-control-max-age": null
},
"error": null
}
| Status | Meaning |
|---|---|
400 | Bad request — your input failed validation or could not be processed. Check the detail field for specifics. |
402 | Payment required. Send a signed USDC payment on Base Mainnet using the x402 protocol. |
422 | Unprocessable — a required field is missing or the wrong type. Check the detail field for specifics. |