← All APIs Network

CORS Header Checker API

Check which cross-origin permissions a URL grants for a given origin

Sends a real request to any URL you provide, attaches an Origin header, and reads back all six standard cross-origin permission headers the server returns. Tells you whether cross-origin requests are enabled at all, whether your specific origin is permitted, and shows you every permission value exactly as the server sent it. Perfect for figuring out why a browser is blocking a request, confirming a freshly deployed service is configured correctly, or auditing whether a public API allows credentialed cross-origin calls.

POSThttps://cors-header-checker.underscoredone.com/check
Pricing

$0.01 per request — pay via x402/USDC. No account needed.

How to call

POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.

Input parameters
NameTypeRequiredDescription
urlstringyesThe full web address of the endpoint you want to check — must start with http:// or https://.
originstring/nullnoThe website address you want to test cross-origin access from, for example https://myapp.com. Defaults to https://example.com if you leave it out.
Example requests
Typical input
{
  "url": "https://api.github.com",
  "origin": "https://myapp.com"
}
Zero or empty input
{
  "url": "https://api.github.com"
}
Invalid input (400 error)
{
  "url": "not-a-url",
  "origin": "https://myapp.com"
}
Large input
{
  "url": "https://httpbin.org/get",
  "origin": "https://a-very-long-subdomain-name.some-enterprise-domain.internal.example.com"
}
Example response
{
  "api_version": "1.0.0",
  "url": "https://api.github.com",
  "origin_tested": "https://myapp.com",
  "status": 200,
  "cors_enabled": true,
  "origin_allowed": false,
  "headers": {
    "access-control-allow-origin": "https://github.com",
    "access-control-allow-methods": null,
    "access-control-allow-headers": null,
    "access-control-allow-credentials": null,
    "access-control-expose-headers": "ETag, Link, Location",
    "access-control-max-age": null
  },
  "error": null
}
Error responses
StatusMeaning
400Bad request — your input failed validation or could not be processed. Check the detail field for specifics.
402Payment required. Send a signed USDC payment on Base Mainnet using the x402 protocol.
422Unprocessable — a required field is missing or the wrong type. Check the detail field for specifics.
Links