All vulnerabilities
MediumA05:2021CWE-346Security Misconfiguration

CORS Misconfiguration

Misconfigured Cross-Origin Resource Sharing allows malicious websites to make authenticated API requests on behalf of logged-in users, stealing data and performing actions without consent.

What Is a CORS Misconfiguration?

Cross-Origin Resource Sharing (CORS) is the browser mechanism that controls which domains can make cross-origin requests to your API. A misconfiguration allows malicious websites to make authenticated requests to your API using the victim's session cookies or credentials.

Common Misconfigurations

Wildcard with credentials

# Vulnerable — impossible combination but surprisingly common
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Credentials"] = "true"

Browsers block this combination, but some frameworks silently ignore the conflict and become exploitable.

Reflecting the Origin header without validation

# Vulnerable — trusts any origin blindly
@app.middleware("http")
async def cors_middleware(request, call_next):
    origin = request.headers.get("origin", "")
    response = await call_next(request)
    response.headers["Access-Control-Allow-Origin"] = origin  # Reflects anything!
    response.headers["Access-Control-Allow-Credentials"] = "true"
    return response

An attacker hosts evil.com, which makes requests to your API — the API reflects evil.com as allowed and the browser delivers the response.

Weak origin validation

# Vulnerable — regex bypass: evil-vibewshield.com matches
if "vibewshield.com" in origin:  
    allow_origin = origin

Real-World Impact

  • Data theftevil.com reads your API responses as the logged-in user
  • Account actions — post, delete, or modify on behalf of victims
  • Credential exposure — any endpoint returning tokens, keys, or PII is fully readable

How to Fix

Explicit allowlist validation:

ALLOWED_ORIGINS = {
    "https://vibewshield.com",
    "https://www.vibewshield.com",
}
 
def get_cors_origin(request_origin: str) -> str | None:
    if request_origin in ALLOWED_ORIGINS:
        return request_origin
    return None

FastAPI (using fastapi.middleware.cors):

from fastapi.middleware.cors import CORSMiddleware
 
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://vibewshield.com"],  # Explicit list — never "*" with credentials
    allow_credentials=True,
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["Authorization", "Content-Type"],
)

Never use allow_origins=["*"] with allow_credentials=True.

What VibeWShield Detects

VibeWShield sends requests with crafted Origin headers (null, arbitrary domains, subdomain variants) and checks whether the response reflects them in Access-Control-Allow-Origin paired with Access-Control-Allow-Credentials: true. It also tests for pre-flight bypass vectors.

#cors#api#browser#misconfiguration

Free security scan

Test your app for CORS Misconfiguration

VibeWShield automatically checks for CORS Misconfiguration and 40+ other vulnerabilities using 63 scanners — in under 3 minutes, no signup required.

Scan your app free