How to fix CORS misconfiguration (overly permissive)

What it is

CORS (Cross-Origin Resource Sharing) is controlled by response headers like Access-Control-Allow-Origin. A misconfiguration might allow any origin (*) or reflect the request origin without checking allowlists. That can let other sites read or abuse your API from the browser.

Why it matters

Overly permissive CORS can expose your API to any website. If you use credentials (cookies, auth headers), Allow-Origin must be a specific origin, not *. Fixing CORS limits which sites can call your API from the browser and is a common audit finding.

How to fix it

1. 1

   See what you're sending

   Run Barrion's CORS check or inspect the Access-Control-Allow-Origin and related headers in your API responses. Note if you're using * or reflecting the request origin for every request.

2. 2

   Define allowed origins

   List the origins that should be allowed to call your API (e.g. https://app.example.com, https://admin.example.com). Avoid * if your API is used with credentials or returns sensitive data.

3. 3

   Set the header from an allowlist

   In your app or reverse proxy, check the request Origin against your allowlist. If it matches, send Access-Control-Allow-Origin with that origin (one value only). If you need credentials, also set Access-Control-Allow-Credentials: true and ensure Allow-Origin is not *.

4. 4

   Verify

   Re-run the CORS check from an allowed and a disallowed origin. Confirm that only allowed origins get access and that credentials behave as intended.

Examples by platform

if ($http_origin ~* "^https://(app|admin)\.example\.com$") {
  add_header Access-Control-Allow-Origin $http_origin;
}

const allowed = ['https://app.example.com'];
app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (allowed.includes(origin)) res.setHeader('Access-Control-Allow-Origin', origin);
  next();
});