What is a CORS misconfiguration?

A CORS misconfiguration is an overly permissive cross-origin policy — such as reflecting any Origin with credentials enabled — that lets malicious sites read authenticated responses.

Why is Access-Control-Allow-Origin: * with credentials dangerous?

Browsers forbid that exact combination, but reflecting the requesting origin while allowing credentials achieves the same risk: any site can make authenticated cross-origin requests and read the response.

How do you configure CORS securely?

Allowlist specific trusted origins, avoid dynamically reflecting arbitrary origins, only enable credentials when necessary, and restrict allowed methods and headers.

CORS Misconfiguration Guide

01 //What is CORS and Why Does It Matter?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which websites can make requests to your API. The Same-Origin Policy (SOP) blocks cross-origin reads by default—CORS is the mechanism servers use to selectively relax this restriction. When misconfigured, CORS lets attackers steal sensitive data from authenticated users.

⚠ real-world impact

CORS misconfigurations have been found in major platforms including cloud providers, financial services, and SaaS applications. Attackers can steal user data, API keys, and session tokens simply by tricking a victim into visiting a malicious webpage. Unlike XSS, no injection into the target site is required.

$ heuristic — at its core

A CORS vulnerability exists when: 1) the server reflects or broadly allows untrusted origins. 2) credentials (cookies, auth headers) are included in cross-origin requests. 3) the response contains sensitive data readable by the attacker's JavaScript.

Vulnerable CORS Configuration (Express.js)

javascript

1// VULNERABLE: reflects any Origin header
2app.use((req, res, next) => {
3  res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
4  res.setHeader('Access-Control-Allow-Credentials', 'true');
5  next();
6});

In this example, the server blindly reflects whatever Origin header the browser sends. Combined with Access-Control-Allow-Credentials: true, any malicious site can make authenticated requests and read the response—effectively bypassing the Same-Origin Policy entirely.

$ check your understanding

Why is the Same-Origin Policy important for web security?

$ how CORS works

$ ./diagram --cors-flow

# simple request (GET / HEAD / POST with simple content-types)

browser · evil.com

fetch('https://api.bank.com/account')

→

Origin: evil.com

request / response

→

api.bank.com

ACAO: * (returned)

# preflight (PUT / DELETE / custom headers)

browser

OPTIONS /api/transfer

→

1. preflight

2. allowed methods/headers → 3. actual request

→

api server

ACAM: PUT, DELETE

02 //CORS Headers Deep Dive

CORS is entirely controlled by HTTP response headers. Understanding each header is critical for both identifying misconfigurations and implementing secure policies. The most security-sensitive headers are Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC).

Key CORS Response Headers

Header	Purpose	Security Concern
Access-Control-Allow-Origin	Which origins can read the response	Wildcard (*) or reflected origin allows broad access
Access-Control-Allow-Credentials	Whether cookies/auth are included	true + permissive ACAO = credential theft
Access-Control-Allow-Methods	Allowed HTTP methods for preflight	Overly broad methods enable state-changing attacks
Access-Control-Allow-Headers	Allowed custom request headers	Wildcard removes preflight protection
Access-Control-Expose-Headers	Which response headers JS can read	Exposing auth/token headers leaks secrets
Access-Control-Max-Age	Preflight cache duration in seconds	Long cache delays policy change propagation

$ try it yourself

$ explore --cors-headers

full header

Access-Control-Allow-Origin

Specifies which origins can access the resource. A wildcard (*) allows any site to read the response.

safe value

https://trusted.com

risky value

*

⚠ security risk

Using * with credentials, or reflecting any Origin without validation, lets attackers read authenticated responses.

$ check your understanding

Which combination of CORS headers creates the most dangerous misconfiguration?

Learn the patterns,
then go find them.

CORS Misconfiguration Guide

01 //What is CORS and Why Does It Matter?

02 //CORS Headers Deep Dive

Key CORS Response Headers

Blurred Premium Content

More Value Behind This Gate

Premium Content

Frequently asked questions

Learn the patterns,then go find them.

01 //What is CORS and Why Does It Matter?

02 //CORS Headers Deep Dive

Key CORS Response Headers

Blurred Premium Content

More Value Behind This Gate

Premium Content

Frequently asked questions

Learn the patterns,
then go find them.