CORS Misconfiguration
The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.
What is CORS Misconfiguration?
Cross-Origin Resource Sharing (CORS) controls which websites can make requests to your API. A critical misconfiguration is reflecting any Origin header back as Access-Control-Allow-Origin AND allowing credentials (Access-Control-Allow-Credentials: true). This lets any malicious site read authenticated API responses, effectively bypassing the same-origin policy.
Why It Matters to Your Business
CORS misconfiguration allows any website to read your authenticated API responses — including user data, session tokens, and business logic. Attackers can build phishing sites that silently exfiltrate data from authenticated users.
How to Fix It
Never reflect arbitrary origins with credentials. Use an explicit allowlist:
Nginx (allowlist approach):
map $http_origin $allow_origin {
default "";
"https://yoursite.com" "https://yoursite.com";
"https://app.yoursite.com" "https://app.yoursite.com";
}
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Vary Origin always;
Laravel (config/cors.php):
'paths' => ['api/*'],
'allowed_methods' => ['*'],
'allowed_origins' => ['https://yoursite.com', 'https://app.yoursite.com'],
'supports_credentials' => true,
Never use: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-942: Permissive Cross-domain Policy |
| Detected By | cors scanner(s) |
| Severity Level | high |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our cors scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.