Demo Mode: Live Preview: Scans are performed in real-time.
Knowledge Base/CORS Misconfiguration
Critical Severity

CORS Misconfiguration

Cross-Origin Resource Sharing (CORS) controls which domains can access your API resources via the browser.

Business Risk

The "Wildcard Exploit": Setting `Access-Control-Allow-Origin: *` allows ANY site to read your API response. If you also allow `Access-Control-Allow-Credentials: true`, you have created a Critical vulnerability. Attackers can read private user data (emails, settings) by hosting a malicious site that queries your API on behalf of the logged-in user.

Technical Details

Never use `*` with `Credentials: true`. The browser will actually block this combo, so developers often accidentally write code that reflects the `Origin` header, which is just as bad. Explicitly whitelist trusted domains.

Remediation Guide

Map lookup or explicit list.
map $http_origin $cors_origin {
    default "";
    "~^https://(www.)?example.com$" "$http_origin";
}
add_header Access-Control-Allow-Origin $cors_origin always;
nginx

External References

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.