Critical severity

CORS Misconfiguration

Cross-Origin Resource Sharing (CORS) controls which domains can access your API resources via the browser.

Business risk

The "Wildcard Exploit": Setting `Access-Control-Allow-Origin: *` allows ANY site to read your API response. If you also allow `Access-Control-Allow-Credentials: true`, you have created a Critical vulnerability. Attackers can read private user data (emails, settings) by hosting a malicious site that queries your API on behalf of the logged-in user.

Technical details

Never use `*` with `Credentials: true`. The browser will actually block this combo, so developers often accidentally write code that reflects the `Origin` header, which is just as bad. Explicitly whitelist trusted domains.

How to detect it

Probe the endpoint with a custom `Origin` header and inspect the response. Three red flags: `Access-Control-Allow-Origin: *` plus `Access-Control-Allow-Credentials: true` (browser will block but the misconfig proves reflection logic is wrong), origin echo (ACAO equals whatever you send), and a permissive regex that accepts unexpected subdomains.

Test origin reflection

curl -sI -H "Origin: https://attacker.com" https://api.yourdomain.com/user | grep -i access-control

Test null origin acceptance

curl -sI -H "Origin: null" https://api.yourdomain.com/user | grep -i access-control

Test sibling domain acceptance

curl -sI -H "Origin: https://yourdomain.com.attacker.com" https://api.yourdomain.com/user

Common pitfalls

Reflecting the request `Origin` verbatim. This is the most common CORS mistake. If your allowlist is dynamic, validate the origin against an explicit list of strings, not a regex that can be bypassed.
Accepting `Origin: null`. Sandboxed iframes, `file://` URLs, and `data:` URLs all send `null`. Never allowlist `null`.
Using a subdomain wildcard regex like `/.*\.yourdomain\.com$/`. An attacker-registered subdomain of a forgotten asset takeover (`unclaimed.yourdomain.com`) now has full CORS access.
Setting `Access-Control-Allow-Credentials: true` with any kind of dynamic origin. Credentials + wildcard is blocked by browsers, so developers end up reflecting the origin to work around it, which is exactly as bad.
Forgetting the preflight. `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` must also be restricted - a misconfigured preflight enables non-simple requests you did not intend.

Remediation guide

Map lookup or explicit list.

map $http_origin $cors_origin {
    default "";
    "~^https://(www.)?example.com$" "$http_origin";
}
add_header Access-Control-Allow-Origin $cors_origin always;

nginx

External references

PortSwigger: CORS Vulnerabilities

Frequently asked questions

Why is reflecting Origin dangerous?

It is equivalent to `Access-Control-Allow-Origin: *` with credentials - any attacker-controlled site can make authenticated requests on behalf of the logged-in user and read the response. The only safe pattern is an explicit allowlist of exact origin strings.

Can I safely use `Access-Control-Allow-Origin: *`?

Only for truly public endpoints that never serve user-specific data and never require credentials. Public font CDNs, map tiles, and open-data APIs qualify. Anything behind authentication does not.

Does CORS protect my API?

No. CORS is a browser-enforced opt-in to relax the Same-Origin Policy. Non-browser clients (curl, Postman, server-to-server) ignore it entirely. API authentication, authorization, and input validation remain mandatory.

Keep going

Low severity · Content

Related guide

Missing Content Security Policy (CSP)

High severity · Content

Related guide

Server Information Leakage

Low severity · Misc

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

How to detect it

Test origin reflection

curl -sI -H "Origin: https://attacker.com" https://api.yourdomain.com/user | grep -i access-control

Test null origin acceptance

curl -sI -H "Origin: null" https://api.yourdomain.com/user | grep -i access-control

Test sibling domain acceptance

curl -sI -H "Origin: https://yourdomain.com.attacker.com" https://api.yourdomain.com/user

Common pitfalls

Reflecting the request `Origin` verbatim. This is the most common CORS mistake. If your allowlist is dynamic, validate the origin against an explicit list of strings, not a regex that can be bypassed.

Accepting `Origin: null`. Sandboxed iframes, `file://` URLs, and `data:` URLs all send `null`. Never allowlist `null`.

Using a subdomain wildcard regex like `/.*\.yourdomain\.com$/`. An attacker-registered subdomain of a forgotten asset takeover (`unclaimed.yourdomain.com`) now has full CORS access.

Setting `Access-Control-Allow-Credentials: true` with any kind of dynamic origin. Credentials + wildcard is blocked by browsers, so developers end up reflecting the origin to work around it, which is exactly as bad.

Forgetting the preflight. `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` must also be restricted - a misconfigured preflight enables non-simple requests you did not intend.

Frequently asked questions

Why is reflecting Origin dangerous?

Can I safely use `Access-Control-Allow-Origin: *`?

Only for truly public endpoints that never serve user-specific data and never require credentials. Public font CDNs, map tiles, and open-data APIs qualify. Anything behind authentication does not.

Does CORS protect my API?