SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical Headers

CORS Configuration

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which external websites can make API requests to your server. A misconfigured CORS policy can allow any website on the internet to make authenticated requests to your API on behalf of your logged-in users.

What SecurityStatus Checks

  • Whether Access-Control-Allow-Origin is set to wildcard (*) with credentials allowed
  • Whether the origin header is reflected back without validation (trust any origin)
  • Whether null origin is accepted as a valid origin
  • Whether preflight OPTIONS requests return overly permissive headers
  • Whether Access-Control-Allow-Credentials is true with a wildcard or reflected origin

Why This Matters

The most dangerous CORS misconfiguration is reflecting the request Origin header back with Access-Control-Allow-Credentials: true. This means any website can make authenticated API calls to your server using the victim's cookies. This can lead to account takeover and data theft without any user interaction beyond visiting a malicious site.

How to Fix It

  1. 1

    Define an explicit allowlist of origins

    Never accept arbitrary origins. Maintain a list of allowed origins in your code: `const allowedOrigins = ['https://app.yourdomain.com', 'https://yourdomain.com']`. Validate the incoming Origin header against this list.

  2. 2

    Never combine wildcard with credentials

    The combination of `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` is invalid in modern browsers but some old configurations attempt it. Use an explicit origin instead of * when credentials are needed.

  3. 3

    Reject null origins

    The `null` origin appears in sandboxed iframes and local file requests. Never add null to your allowlist — it can be exploited by attackers using sandboxed iframes.

  4. 4

    Restrict allowed methods and headers

    Only allow the HTTP methods your API actually uses. Set `Access-Control-Allow-Methods: GET, POST` rather than allowing all methods. Similarly restrict `Access-Control-Allow-Headers`.

Frequently Asked Questions

Does CORS affect non-browser requests?
No. CORS is a browser enforcement mechanism. Server-to-server requests, curl, and tools like Postman are not subject to CORS restrictions. CORS only protects against malicious websites running in victim browsers.
Is Access-Control-Allow-Origin: * always bad?
Not always. If your API serves only public data and never uses cookies or authentication, a wildcard is fine. The danger is wildcard combined with credentials, or reflected origins with credentials.
How do I test my CORS configuration?
Use curl with a custom Origin header: `curl -H 'Origin: https://evil.com' -v https://api.yourdomain.com/endpoint`. Check if the response includes `Access-Control-Allow-Origin: https://evil.com`. If it does, and you have credentials enabled, you have a critical vulnerability.

Related Guides

critical Security Headers Read Guide medium Cookie Security Read Guide high API Endpoint Exposure Read Guide

Check Your Domain Now

Run all 38 security checks including CORS Configuration and get your domain's security grade in under 2 minutes.

Scan Your Domain Free