high HTTP Headers

CORS Misconfiguration

The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.

Severity
high
Time to Fix
1 hour
Difficulty
medium
OWASP
A05:2021 — Security Misconfiguration

What is CORS Misconfiguration?

Cross-Origin Resource Sharing (CORS) controls which websites can make requests to your API. A critical misconfiguration is reflecting any Origin header back as Access-Control-Allow-Origin AND allowing credentials (Access-Control-Allow-Credentials: true). This lets any malicious site read authenticated API responses, effectively bypassing the same-origin policy.

Why It Matters to Your Business

CORS misconfiguration allows any website to read your authenticated API responses — including user data, session tokens, and business logic. Attackers can build phishing sites that silently exfiltrate data from authenticated users.

How to Fix It

Never reflect arbitrary origins with credentials. Use an explicit allowlist:

Nginx (allowlist approach):
  map $http_origin $allow_origin {
    default "";
    "https://yoursite.com" "https://yoursite.com";
    "https://app.yoursite.com" "https://app.yoursite.com";
  }
  add_header Access-Control-Allow-Origin $allow_origin always;
  add_header Access-Control-Allow-Credentials "true" always;
  add_header Vary Origin always;

Laravel (config/cors.php):
  'paths' => ['api/*'],
  'allowed_methods' => ['*'],
  'allowed_origins' => ['https://yoursite.com', 'https://app.yoursite.com'],
  'supports_credentials' => true,

Never use: Access-Control-Allow-Origin: *  with  Access-Control-Allow-Credentials: true

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-942: Permissive Cross-domain Policy
Detected Bycors scanner(s)
Severity Levelhigh

Check if your website has this vulnerability

Our cors scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities