API Policy Demo

CORS Misconfig

The preview fetches an authenticated-looking endpoint and prints the permissive CORS headers that should never be sent together.

Back to hub Reload scenario
CORS probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Wildcard origin and credentials are enabled together.
  • Profile data is accessible with no meaningful access control.
    • 
        

      


      

        
Primary Flows

        
      


      

        
Signals

        
        

          
Headers

          
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.