Inspect the CORS policy on any endpoint.

Paste any HTTPS endpoint and Pentrova returns a deterministic breakdown of its CORS configuration: allowed origin, credential exposure, methods, exposed headers, and preflight cache. The request runs from your browser and nothing is stored on our servers.

How the check works

Origin + credentials

We grade the Access-Control-Allow-Origin and Access-Control-Allow-Credentials pair and flag unsafe combinations such as wildcard + credentials.
Methods + preflight

A preflight OPTIONS call reads Allow-Methods, Allow-Headers, Expose-Headers, and Max-Age so you can see the full cross-origin surface area in one view.
No persistence

Submitted URLs are never logged, cached, or shared. Results live only in the current browser session.

/* When JS is disabled the IntersectionObserver never runs, so the `opacity: 0` initial state of reveal elements would hide content permanently. Snap everything visible. */ .scroll-reveal, [data-reveal], .reveal-group > .reveal { opacity: 1 !important; transform: none !important; animation: none !important; } .section-rule { transform: scaleX(1) !important; }

Inspect the CORS policy on any endpoint.

How the check works

Origin + credentials

Methods + preflight

No persistence