Documentation

What is CORS misconfiguration

What is CORS?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which external websites are allowed to make JavaScript requests to your server. Without CORS restrictions, any website a user visits could silently make API calls to your service on their behalf — reading private data or performing actions.

CORS is enforced by the browser via HTTP headers your server sends in responses. A CORS misconfiguration occurs when those headers are set too permissively, allowing untrusted origins to make credentialed requests to your API.

What to do

The most common mistakes

Wildcard origin with credentials

This combination is the most dangerous and is rejected by browsers — but attempting it indicates a misconfiguration that may work in non-browser clients:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

The * wildcard and credentials: true cannot be combined securely. If you need credentialed cross-origin requests, you must specify an explicit origin.

Reflecting the request Origin header without validation

Some servers dynamically echo back whatever Origin header the request sends:

Example of a bad configuration

response.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin')

This effectively allows any origin, including malicious ones, to make authenticated requests to your API.

How to fix it

Option 1 — Restrict to known origins (recommended)

Maintain an allowlist of trusted origins and only reflect the origin if it is in the list:

ALLOWED_ORIGINS = {'https://app.yourdomain.com', 'https://admin.yourdomain.com'}

origin = request.headers.get('Origin', '')
if origin in ALLOWED_ORIGINS:
    response.headers['Access-Control-Allow-Origin'] = origin
    response.headers['Access-Control-Allow-Credentials'] = 'true'

Option 2 — Use * only for fully public, unauthenticated endpoints

If an API endpoint returns only public data and never uses cookies or auth headers, a wildcard is acceptable:

Access-Control-Allow-Origin: *

Do not combine with Access-Control-Allow-Credentials: true.

Option 3 — Avoid CORS entirely for sensitive APIs

If your front-end and API are on the same origin, you don't need CORS headers at all. Host them on the same domain, or use a reverse proxy to present them on one.

How ExposureIndex detects this

The scanner sends test requests with a crafted Origin header (e.g. https://evil.example.com) and checks whether the server reflects it back in Access-Control-Allow-Origin. A reflected arbitrary origin combined with Allow-Credentials: true is flagged as a high-severity finding.

Last updated: March 28, 2026