[{"data":1,"prerenderedAt":185},["ShallowReactive",2],{"blog-vulnerabilities/cors-misconfiguration":3},{"id":4,"title":5,"body":6,"category":164,"date":165,"dateModified":166,"description":167,"draft":168,"extension":169,"faq":170,"featured":168,"headerVariant":171,"image":170,"keywords":170,"meta":172,"navigation":173,"ogDescription":174,"ogTitle":170,"path":175,"readTime":176,"schemaOrg":177,"schemaType":178,"seo":179,"sitemap":180,"stem":181,"tags":182,"twitterCard":183,"__hash__":184},"blog/blog/vulnerabilities/cors-misconfiguration.md","CORS Misconfiguration Explained",{"type":7,"value":8,"toc":154},"minimark",[9,16,21,24,28,43,53,58,88,92,101,123,142],[10,11,12],"tldr",{},[13,14,15],"p",{},"CORS (Cross-Origin Resource Sharing) controls which websites can make requests to your API. A misconfigured CORS policy can let attackers steal user data from malicious websites. Never use Access-Control-Allow-Origin: * with credentials, and always validate origins against an allowlist.",[17,18,20],"h2",{"id":19},"what-is-cors","What Is CORS?",[13,22,23],{},"CORS is a browser security feature that restricts web pages from making requests to a different domain than the one serving the page. Your server tells browsers which origins are allowed to access your API through response headers.",[17,25,27],{"id":26},"common-cors-mistakes","Common CORS Mistakes",[29,30,32],"code-block",{"label":31},"Dangerous: Reflecting any origin",[33,34,39],"pre",{"className":35,"code":37,"language":38},[36],"language-text","// VULNERABLE: Reflects whatever origin is sent\napp.use((req, res, next) => {\n  res.header('Access-Control-Allow-Origin', req.headers.origin);\n  res.header('Access-Control-Allow-Credentials', 'true');\n  next();\n});\n\n// Attacker's site can now read authenticated responses!\n","text",[40,41,37],"code",{"__ignoreMap":42},"",[44,45,46],"danger-box",{},[13,47,48,52],{},[49,50,51],"strong",{},"Critical mistake:"," Reflecting the Origin header while allowing credentials means any website can make authenticated requests to your API and read the responses.",[54,55,57],"h3",{"id":56},"other-dangerous-patterns","Other Dangerous Patterns",[59,60,61,68,78,85],"ul",{},[62,63,64,67],"li",{},[40,65,66],{},"Access-Control-Allow-Origin: *"," with sensitive data",[62,69,70,71,74,75],{},"Regex matching that can be bypassed: ",[40,72,73],{},"/\\.yoursite\\.com$/"," matches ",[40,76,77],{},"evilyoursite.com",[62,79,80,81,84],{},"Allowing ",[40,82,83],{},"null"," origin (used by sandboxed iframes)",[62,86,87],{},"Trusting subdomains when any subdomain could be compromised",[17,89,91],{"id":90},"secure-cors-configuration","Secure CORS Configuration",[29,93,95],{"label":94},"Proper origin validation",[33,96,99],{"className":97,"code":98,"language":38},[36],"const allowedOrigins = [\n  'https://yoursite.com',\n  'https://app.yoursite.com'\n];\n\napp.use((req, res, next) => {\n  const origin = req.headers.origin;\n\n  if (allowedOrigins.includes(origin)) {\n    res.header('Access-Control-Allow-Origin', origin);\n    res.header('Access-Control-Allow-Credentials', 'true');\n  }\n\n  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');\n  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');\n  next();\n});\n",[40,100,98],{"__ignoreMap":42},[102,103,104,111,117],"faq-section",{},[105,106,108],"faq-item",{"question":107},"Can I use * if I don't use cookies?",[13,109,110],{},"Using * is safe for truly public APIs with no authentication. But if you use any form of auth (tokens in headers, API keys), you should restrict origins.",[105,112,114],{"question":113},"Why does CORS only apply to browsers?",[13,115,116],{},"CORS is enforced by browsers to protect users. Server-to-server requests or curl bypass CORS entirely. It prevents malicious websites from using the user's browser as a proxy.",[105,118,120],{"question":119},"What about preflight requests?",[13,121,122],{},"Browsers send OPTIONS requests before certain cross-origin requests. Make sure your server handles OPTIONS and returns the correct CORS headers.",[124,125,126,132,137],"related-articles",{},[127,128],"related-card",{"description":129,"href":130,"title":131},"Related cross-origin attack","/blog/vulnerabilities/csrf","CSRF Explained",[127,133],{"description":134,"href":135,"title":136},"Can bypass CORS restrictions","/blog/vulnerabilities/xss","XSS Explained",[127,138],{"description":139,"href":140,"title":141},"Complete header guide","/blog/how-to/add-security-headers","Security Headers",[143,144,147,151],"cta-box",{"href":145,"label":146},"/","Start Free Scan",[17,148,150],{"id":149},"check-your-cors-config","Check Your CORS Config",[13,152,153],{},"Our scanner tests your CORS headers for common misconfigurations.",{"title":42,"searchDepth":155,"depth":155,"links":156},2,[157,158,162,163],{"id":19,"depth":155,"text":20},{"id":26,"depth":155,"text":27,"children":159},[160],{"id":56,"depth":161,"text":57},3,{"id":90,"depth":155,"text":91},{"id":149,"depth":155,"text":150},"vulnerabilities","2026-01-15","2026-02-03","CORS misconfiguration can expose your API to unauthorized cross-origin requests. Learn how CORS works, common mistakes, and how to configure it securely.",false,"md",null,"red",{"noindex":173},true,"Learn how CORS works and how to avoid dangerous misconfigurations.","/blog/vulnerabilities/cors-misconfiguration","6 min read","[object Object]","TechArticle",{"title":5,"description":167},{"loc":175},"blog/vulnerabilities/cors-misconfiguration",[],"summary_large_image","47Gqh48G4j0LzBveXoCMa2s3LV2mOPeHEHh-wgkvBSk",1775843926817]