Web
CORS policy analyzer + misconfig flags API
Sends a preflight OPTIONS (with configurable Origin and request method) plus a GET, reads every Access-Control-* response header, and flags misconfigurations: wildcard-with-credentials, reflected origin, null-origin-allowed, wildcard methods/headers, returning a security verdict. The value-add: it interprets headers into a verdict instead of just echoing them. Answers 'is this API's CORS misconfigured', 'does this endpoint allow my origin', 'check CORS preflight for this URL', 'are credentials allowed cross-origin'.
Price$0.01per request
MethodPOST
Route/v1/web/cors
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
webcorspreflightaccess-controlsecurityoriginheadersmisconfig
API URL
Integration docshttps://x402.hexl.dev/v1/web/corsExample request
{
"url": "https://api.github.com",
"origin": "https://example.com"
}Example response
{
"url": "https://api.github.com",
"origin": "https://example.com",
"corsEnabled": true,
"allowsRequestedOrigin": true,
"allowOrigin": "*",
"allowCredentials": false,
"allowMethods": [
"GET",
"POST",
"PATCH",
"PUT",
"DELETE"
],
"allowHeaders": [],
"preflightStatus": 204,
"verdict": "permissive",
"flags": []
}Input schema
{
"type": "object",
"required": [
"url"
],
"properties": {
"url": {
"type": "string",
"examples": [
"https://api.github.com"
]
},
"origin": {
"type": "string",
"examples": [
"https://example.com"
]
},
"method": {
"type": "string",
"examples": [
"GET"
]
}
}
}Output schema
{
"type": "object",
"additionalProperties": true
}