← All checks

CORS Wildcard Misconfiguration

High severity

What is this?

Cross-Origin Resource Sharing (CORS) controls which websites can make requests to your API and read the responses. When your server returns Access-Control-Allow-Origin: *, it tells browsers that any website in the world can make requests to your API and read the data that comes back. For public, read-only APIs this is fine. For anything that handles authentication or returns private data, it is a serious vulnerability.

Why it happens

CORS errors are one of the most frustrating parts of web development. When a developer hits a CORS error, the fastest fix is adding cors({ origin: '*' }) or the equivalent in any framework. Every Stack Overflow answer suggests it. It works instantly in development. And it stays in production because nobody revisits it once the error goes away.

What's at risk

If your API uses cookies or tokens for authentication and returns user-specific data, a CORS wildcard means any malicious website can make authenticated requests on behalf of your users. An attacker creates a page that silently calls your API endpoints, the browser includes the user's cookies automatically, and the attacker's JavaScript reads the response. This can expose user profiles, private messages, financial data, or any information your API serves to authenticated users.

How to fix

Replace the wildcard with your specific frontend origin.

Express:

const cors = require("cors");
app.use(cors({
  origin: "https://yourdomain.com",
  credentials: true,
}));

Flask:

from flask_cors import CORS
CORS(app, origins=["https://yourdomain.com"])

FastAPI:

from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://yourdomain.com"],
    allow_credentials=True,
)

If you have multiple frontends, list each origin explicitly rather than using a wildcard. For truly public APIs that serve no private data and use no cookies, the wildcard is acceptable.

How Preflyt detects it

Preflyt checks the Access-Control-Allow-Origin header in your server's response. It only flags the wildcard as an issue when the response also includes Set-Cookie headers (indicating session management) or returns JSON content (indicating an API endpoint). Static HTML sites serving with CORS * are not flagged because they do not handle authentication.

Frequently asked questions

Is CORS * always dangerous?

No. For truly public, read-only APIs that serve no private data and use no authentication, the wildcard is fine. It becomes dangerous when your API handles cookies, tokens, or returns user-specific data, because any website can then make authenticated requests on behalf of your users.

Do I need CORS for same-origin requests?

No. CORS only applies to cross-origin requests - when your frontend on domain A makes a request to an API on domain B. If your frontend and API share the same origin (same protocol, host, and port), CORS headers are not needed.

How do I test my CORS configuration?

Use curl to inspect the response headers: curl -I -H 'Origin: https://evil.com' https://yourapi.com/endpoint. Check if the Access-Control-Allow-Origin header reflects the attacker origin. You can also use browser DevTools Network tab.

Related checks

Missing Security HeadersProtective HTTP headers absent from responses.Open Database PortsDatabase services directly accessible from the internet.
Check your site now

Free scan. No signup required.