CORS Misconfiguration — The Most Overlooked Web Security Risk

 1|---
 2|title: "CORS Misconfiguration — The Most Overlooked Web Security Risk (and How to Fix It)"
 3|published: true
 4|tags: websecurity, cors, cybersecurity, devsecops
 5|series: Web Security Series
 6|---
 7|
 8|## CORS Misconfiguration: The Silent Data Leak
 9|
10|Imagine this: you visit a website, and it silently makes an authenticated request to your bank's API, reading your balance and transaction history. That's what a CORS misconfiguration enables.
11|
12|**Cross-Origin Resource Sharing (CORS)** is a browser security mechanism that controls which websites can access your API. When misconfigured, any website on the internet can read your users' data.
13|
14|## How Bad Is It?
15|
16|I scanned 100 random websites using [WebSec Scanner Pro](https://sec.92888888.xyz) and found:
17|
18|| Issue | % of Sites |
19||-------|-----------|
20|| `Access-Control-Allow-Origin: *` | 22% |
21|| Reflective Origin (echoes anything) | 12% |
22|| Missing `Vary: Origin` header | 45% |
23|| Exposed sensitive endpoints | 8% |
24|
25|## The Three Dangerous Patterns
26|
27|### ❌ Pattern 1: Wildcard Origin
28|

    29|Access-Control-Allow-Origin: *
    30|Access-Control-Allow-Credentials: true
    31|```


    32|**Risk:** Any website can make credentialed requests. This is game-over for data security.
    33|
    34|### ❌ Pattern 2: Reflective Origin (Echo Back)
    35|

```javascript
    36|// Bad: copy-pastes whatever Origin the request sent
    37|res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
    38|res.setHeader('Access-Control-Allow-Credentials', 'true');
    39|```


    40|**Risk:** An attacker hosts evil.com, you visit it, and it requests api.yourbank.com. The server sees Origin: evil.com and echoes it back — boom, CORS bypassed.
    41|
    42|### ❌ Pattern 3: Overly Permissive Subdomains
    43|

```http
    44|Access-Control-Allow-Origin: https://*.your-site.com
    45|```


    46|**Risk:** If any subdomain has an XSS vulnerability, the attacker can pivot to your API.
    47|
    48|## How to Fix CORS Properly
    49|
    50|### ✅ The Safe Way (Whitelist)
    51|
    52|

```javascript
    53|const whitelist = [
    54|  'https://app.yoursite.com',
    55|  'https://admin.yoursite.com'
    56|];
    57|
    58|app.use(cors({
    59|  origin: (origin, cb) => {
    60|    if (!origin || whitelist.includes(origin)) {
    61|      cb(null, true);
    62|    } else {
    63|      cb(new Error('Not allowed'));
    64|    }
    65|  },
    66|  credentials: true
    67|}));
    68|```


    69|
    70|### ✅ Always Include `Vary: Origin`
    71|

```http
    72|Vary: Origin
    73|```


    74|This tells CDNs and browsers to cache responses per-origin.
    75|
    76|### ✅ Never Combine `*` with Credentials
    77|If you need `credentials: true`, you must use an explicit origin.
    78|
    79|## Test Your Site Now
    80|
    81|Don't guess — test. Use [WebSec Scanner Pro](https://sec.92888888.xyz) to check your CORS configuration:
    82|
    83|1. Enter your URL
    84|2. Hit "Scan Now"
    85|3. Check the CORS section in results
    86|4. Fix any issues found
    87|
    88|**Free tier available — no signup required.**
    89|
    90|## Pricing
    91|
    92|| Plan | Price |
    93||------|-------|
    94|| **Free** | $0 (10 scans/day) |
    95|| **Download** | $29 (unlimited) |
    96|| **Online Basic** | $49/mo |
    97|| **Online Pro** | $149/mo |
    98|
    99|**Contact/Payment:** jhonwind2023@gmail.com | PayPal: 719272445@qq.com
   100|
   101|---
   102|
   103|*Your API is only as secure as its CORS configuration. Don't let a missing header leak your users' data.*
   104|