CORS Policy Analyzer – Endpoint
Base URL
https://api.rsch.ioPath
/api/v1/recon/corsMethod
GETQuery Parameters
domain– Required. Domain or URL whose CORS behavior should be inspected, for examplersch.ioorhttps://api.rsch.io.
Example Request
GET https://api.rsch.io/api/v1/recon/cors?domain=testphp.vulnweb.comResponses follow the standard API envelope:
{
"status": "success",
"request_id": "ffd795f4-35ad-4855-9402-eb3bfb3536ec",
"date": "2025-11-19 08:18:38",
"duration": 0.143052577972412,
"data": {
"input": "http://testphp.vulnweb.com/",
"url": "http://testphp.vulnweb.com/",
"final_url": "http://testphp.vulnweb.com/",
"status_code": 200,
"host": "testphp.vulnweb.com",
"analysis": {
"headers": {
"access_control_allow_origin": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Allow-Origin is not present on this response. CORS may still be configured for preflight or different paths."
},
"access_control_allow_credentials": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Allow-Credentials is not present."
},
"access_control_allow_methods": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Allow-Methods is not present on this response. It may be returned on preflight (OPTIONS) requests instead."
},
"access_control_allow_headers": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Allow-Headers is not present on this response. It may be returned on preflight (OPTIONS) requests."
},
"access_control_expose_headers": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Expose-Headers is not present."
},
"access_control_max_age": {
"present": false,
"value": null,
"status": "WARN",
"icon": "⚠️",
"notes": "Access-Control-Max-Age is not present."
}
},
"overall_risk": "LOW",
"findings": []
}
}
}On error, the envelope contains an error field with a human-readable message.
Last updated on