CORS Misconfiguration

CORS (Cross-Origin Resource Sharing) headers tell browsers which origins may access API responses. Misconfigured CORS allows malicious sites to read sensitive API data from authenticated users.

Wildcard with credentials — impossible but attempted:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Browsers reject this combination, but developers often "fix" it by reflecting the Origin header blindly.

Reflected Origin (critical vulnerability):

# VULNERABLE: mirrors any Origin header back
origin = request.headers.get("Origin", "")
response.headers["Access-Control-Allow-Origin"] = origin  # Mirrors attacker!
response.headers["Access-Control-Allow-Credentials"] = "true"

An attacker creates a page at https://evil.com that sends a credentialed CORS request to your API. Your API responds with Access-Control-Allow-Origin: https://evil.com, allowing the attacker to read the victim's private data.

Only allow specific, pre-approved origins. Validate the Origin header against an allowlist before reflecting it.

Safe CORS middleware (Node.js):

const ALLOWED_ORIGINS = new Set([
  "https://myapp.com",
  "https://www.myapp.com",
  "https://admin.myapp.com"
]);

app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (origin && ALLOWED_ORIGINS.has(origin)) {
    res.setHeader("Access-Control-Allow-Origin", origin);
    res.setHeader("Access-Control-Allow-Credentials", "true");
    res.setHeader("Vary", "Origin");  // Important for caching!
  }
  next();
});

Defense checklist:

• Validate Origin against an explicit allowlist before reflecting
• Never combine wildcard * with credentials
• Set Vary: Origin to prevent incorrect cache serving
• Return null or no ACAO header for disallowed origins
• Use CORS only for public APIs; prefer same-origin for sensitive APIs