CORS Misconfigurations and Security Risks
Cross-Origin Resource Sharing controls which domains can make requests to your API. Misconfigured CORS headers can let any website steal your users' data. The most dangerous mistake is reflecting the Origin header back as Access-Control-Allow-Origin while also allowing credentials.
Try it now
CORS Checker
Runs in your browser, nothing leaves your device.
Reflecting the request's Origin header as the allowed origin effectively disables CORS. Adding `Access-Control-Allow-Credentials: true` makes it exploitable for data theft. The `null` origin is allowed by some configs, and attackers can trigger it using sandboxed iframes or data: URLs. Wildcard `*` with credentials is rejected by browsers, but wildcard without credentials still allows enumeration attacks.
Testing CORS
Send a request with an Origin header set to an attacker-controlled domain. If the response reflects that origin in Access-Control-Allow-Origin, the configuration is vulnerable. Test with `null` as the origin. Check if Access-Control-Allow-Credentials is true. Test preflight requests (OPTIONS) with unusual methods and headers to see what's allowed.
Examples
Dangerous: reflected origin with credentials
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true
Any website can steal authenticated data from this API
Security context
CORS misconfigurations are one of the most common API vulnerabilities. They often go unnoticed because the application works fine for legitimate users. The risk only manifests when an attacker crafts a malicious page that makes cross-origin requests.
Frequently asked
It depends. Wildcard with credentials is blocked by browsers. Wildcard without credentials means any site can read your responses, which is fine for public APIs but dangerous if the endpoint returns user-specific data or internal information.
Related techniques
Content Security Policy (CSP) Analysis
How to analyze and audit Content-Security-Policy headers. Detect unsafe-inline, unsafe-eval, wildcard sources, and other misconfigurations that enable XSS.
HTTP Security Headers Checklist
Review HTTP response headers for security misconfigurations. Check for missing HSTS, X-Content-Type-Options, X-Frame-Options, and information leaks in Server headers.
Cookie Security Flags: Secure, HttpOnly, SameSite
Audit cookie security attributes. Detect session cookies missing Secure, HttpOnly, or SameSite flags that enable session hijacking and CSRF attacks.