cors-tester

Test, debug, and generate CORS configurations from the command line.

Quick Start

# Test CORS headers on a URL
python3 scripts/cors_tester.py test https://api.example.com/data --origin https://myapp.com

# Test preflight (OPTIONS) request
python3 scripts/cors_tester.py preflight https://api.example.com/data --origin https://myapp.com --method POST --header "Content-Type"

# Generate CORS config for a framework
python3 scripts/cors_tester.py config --framework nginx --origins "https://myapp.com,https://staging.myapp.com" --methods "GET,POST,PUT,DELETE"

# Audit CORS security
python3 scripts/cors_tester.py audit https://api.example.com/data

Commands

test

Send a request with an Origin header and inspect the CORS response headers.

python3 scripts/cors_tester.py test <url> --origin <origin> [--method GET]

Options:

• --origin — Origin to test (required)
• --method — HTTP method (default: GET)
• --verbose — Show all response headers

Output shows:

• Access-Control-Allow-Origin — Whether the origin is allowed
• Access-Control-Allow-Credentials — Whether credentials are supported
• Access-Control-Expose-Headers — Which headers are exposed

preflight

Send an OPTIONS preflight request to test if a cross-origin request would be allowed.

python3 scripts/cors_tester.py preflight <url> --origin <origin> [--method POST] [--header Content-Type]

Options:

• --origin — Origin to test (required)
• --method — Method to request (default: POST)
• --header — Custom header to request (repeatable)

Output shows:

• Access-Control-Allow-Methods — Allowed methods
• Access-Control-Allow-Headers — Allowed headers
• Access-Control-Max-Age — Preflight cache duration

audit

Check a URL for common CORS misconfigurations and security issues.

python3 scripts/cors_tester.py audit <url>

Checks for:

• Wildcard origin (*) with credentials
• Origin reflection (server echoes any origin back)
• Missing Vary: Origin header
• Overly permissive allowed methods
• Missing preflight cache (Access-Control-Max-Age)

config

Generate CORS configuration snippets for common frameworks.

python3 scripts/cors_tester.py config --framework <name> --origins <origins> [--methods <methods>] [--headers <headers>] [--credentials]

Options:

• --framework — Target: nginx, apache, express, flask, fastapi, rails
• --origins — Comma-separated allowed origins
• --methods — Comma-separated methods (default: GET,POST,OPTIONS)
• --headers — Comma-separated allowed headers (default: Content-Type,Authorization)
• --credentials — Allow credentials
• --max-age — Preflight cache (default: 86400)