CORS Misconfiguration: Detection & Prevention Guide
Table of Contents
🌐 What is CORS and Why Does It Matter?
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which websites can make requests to your API. The Same-Origin Policy (SOP) blocks cross-origin reads by default—CORS is the mechanism servers use to selectively relax this restriction. When misconfigured, CORS lets attackers steal sensitive data from authenticated users.
Real-world Impact
CORS misconfigurations have been found in major platforms including cloud providers, financial services, and SaaS applications. Attackers can steal user data, API keys, and session tokens simply by tricking a victim into visiting a malicious webpage. Unlike XSS, no injection into the target site is required.
At its core
A CORS vulnerability exists when: 1) The server reflects or broadly allows untrusted origins. 2) Credentials (cookies, auth headers) are included in cross-origin requests. 3) The response contains sensitive data readable by the attacker's JavaScript.
Vulnerable CORS Configuration (Express.js)
1// ⚠️ Vulnerable: reflects any Origin header
2app.use((req, res, next) => {
3 res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
4 res.setHeader('Access-Control-Allow-Credentials', 'true');
5 next();
6});In this example, the server blindly reflects whatever Origin header the browser sends. Combined with Access-Control-Allow-Credentials: true, any malicious site can make authenticated requests and read the response—effectively bypassing the Same-Origin Policy entirely.
Why is the Same-Origin Policy important for web security?
How CORS Works: Preflight & Simple Requests
Simple Request (GET, HEAD, POST with simple content types)
fetch('https://api.bank.com/account')Access-Control-Allow-Origin: *Preflight Request (PUT, DELETE, custom headers)
OPTIONS /api/transferACAM: PUT, DELETE📋 CORS Headers Deep Dive
CORS is entirely controlled by HTTP response headers. Understanding each header is critical for both identifying misconfigurations and implementing secure policies. The most security-sensitive headers are Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC).
Key CORS Response Headers
| Header | Purpose | Security Concern |
|---|---|---|
| Access-Control-Allow-Origin | Which origins can read the response | Wildcard (*) or reflected origin allows broad access |
| Access-Control-Allow-Credentials | Whether cookies/auth are included | true + permissive ACAO = credential theft |
| Access-Control-Allow-Methods | Allowed HTTP methods for preflight | Overly broad methods enable state-changing attacks |
| Access-Control-Allow-Headers | Allowed custom request headers | Wildcard removes preflight protection |
| Access-Control-Expose-Headers | Which response headers JS can read | Exposing auth/token headers leaks secrets |
| Access-Control-Max-Age | Preflight cache duration in seconds | Long cache delays policy change propagation |
CORS Headers Explorer
Access-Control-Allow-OriginSpecifies which origins can access the resource. A wildcard (*) allows any site to read the response.
https://trusted.com*Using * with credentials, or reflecting any Origin without validation, lets attackers read authenticated responses.
Which combination of CORS headers creates the most dangerous misconfiguration?