CORS Checker API Documentation¶
Overview¶
The CORS Checker API allows developers to analyze the Cross-Origin Resource Sharing (CORS) configuration of any public HTTP or HTTPS endpoint.
It performs a request to the specified remote URL using the provided HTTP method, headers, and optional body, then returns a detailed report of the CORS-related response headers.
This tool helps developers verify whether a remote server correctly exposes CORS headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and others.
Endpoint (POST)¶
POST https://api.apidatatools.com/cors-checker-api
Headers¶
| Header | Type | Required | Description |
|---|---|---|---|
Content-Type | application/json | Yes | Must be set for JSON body input. |
x-api-key | string | Yes | Your API key for authentication. |
x-source-type | string | Optional | Set to body (default). Only body mode is supported for this tool. |
Accepted File Extensions¶
This tool does not accept file uploads or remote file URLs.
Only body mode is supported.
Input Example (Body Mode)¶
{
"remote_url": "https://example.com",
"method": "GET",
"request_headers": "Authorization: Bearer token123; X-Test: 1",
"request_body": ""
}
Fields:
| Field | Type | Required | Description |
|---|---|---|---|
remote_url | string | Yes | The target URL to analyze. Must be a valid public HTTP/HTTPS URL. |
method | string | Optional | HTTP method to use (GET, POST, PUT, PATCH, HEAD, OPTIONS). Default is GET. |
request_headers | string | Optional | Custom headers to include in the request, separated by semicolons (;). |
request_body | string | Optional | Request body content (for methods like POST or PUT). |
Input Example (URL Mode)¶
Not applicable.
This tool does not support asynchronous URL-based input.
Input Example (File Mode)¶
Not applicable.
This tool does not support file uploads.
Example Request¶
Synchronous (Body Input)¶
curl -X POST "https://api.apidatatools.com/cors-analyzer-api" \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{
"remote_url": "https://example.com",
"method": "GET",
"request_headers": "X-Test: 1",
"request_body": ""
}'
Asynchronous (Remote File URL)¶
Not applicable.
Asynchronous (Input File)¶
Not applicable.
Example Response¶
Successful (Body Mode)¶
{
"status": "success",
"request_id": "b2c1f3e0-1234-4a7a-9a2f-abc123456789",
"preview": "{\n \"status\": \"success\",\n \"remote_status\": 200,\n \"cors_report\": {\n \"access_control_allow_origin\": \"*\",\n \"access_control_allow_methods\": \"GET, POST, OPTIONS\",\n \"access_control_allow_headers\": \"Content-Type, Authorization\",\n \"access_control_allow_credentials\": \"true\",\n \"access_control_expose_headers\": null,\n \"vary\": \"Origin\"\n },\n \"response_headers\": {\n \"Content-Type\": \"application/json\",\n \"Access-Control-Allow-Origin\": \"*\",\n \"Access-Control-Allow-Methods\": \"GET, POST, OPTIONS\"\n }\n}"
}
Response Fields:
| Field | Type | Description |
|---|---|---|
status | string | Always "success" on successful analysis. |
request_id | string | Unique identifier for the request. |
preview | string | JSON string containing the detailed CORS analysis result. |
Async Job Accepted¶
Not applicable.
This tool does not support asynchronous processing.
Error Handling¶
The API returns standardized error responses with an error code, message, and request_id.
Common Errors¶
| Error Code | HTTP Status | Description |
|---|---|---|
INVALID_JSON | 400 | The request body is not valid JSON. |
MISSING_URL | 400 | The remote_url field is missing. |
INVALID_URL | 400 | The provided URL is not a valid public HTTP/HTTPS URL. |
INVALID_METHOD | 400 | The HTTP method is not allowed. |
SSRF_BLOCKED | 400 | The URL points to a private or internal IP address. |
URL_UNREACHABLE | 400 | The target URL could not be reached. |
REQUEST_FAILED | 400 | The request to the remote server failed. |
PAYLOAD_TOO_LARGE | 413 | The request body exceeds the allowed size limit. |
UNKNOWN_FUNCTION | 404 | The endpoint is not recognized. |
INTERNAL_ERROR | 500 | Unexpected internal error occurred. |
Example Error Response¶
{
"status": "error",
"error": "INVALID_URL",
"request_id": "b2c1f3e0-1234-4a7a-9a2f-abc123456789",
"details": {
"message": "URL must be a valid http/https URL."
}
}
Async Job Status¶
Not applicable.
This tool operates synchronously only.
Notes for Developers¶
- This API performs a live HTTP request to the specified remote URL. Ensure the target server is publicly accessible.
- Requests to private, loopback, or internal IP ranges are automatically blocked for security reasons.
- The tool supports only body mode; asynchronous URL or file-based operations are not available.
- The
request_idfield is included in every response for traceability. - The returned
cors_reportobject provides a structured summary of key CORS-related headers. - Use this API to validate CORS configurations during development, testing, or monitoring of web services.