Saw this in 70% of Workers I've reviewed:
headers.set('Access-Control-Allow-Origin', '*');
headers.set('Access-Control-Allow-Credentials', 'true');
Looks harmless, right?
It's a security hole.
The Problem
When you use wildcard (*) with credentials, you're telling browsers:
"Allow ANY website to make authenticated requests to my API."
This means malicious sites can:
- Read user data
- Make requests on behalf of logged-in users
- Steal session tokens
The Fix
Option 1: Use specific origins
const allowedOrigins = ['https://yourdomain.com', 'https://app.yourdomain.com'];
const origin = request.headers.get('Origin');
if (allowedOrigins.includes(origin)) {
headers.set('Access-Control-Allow-Origin', origin);
headers.set('Access-Control-Allow-Credentials', 'true');
}
Option 2: Don't use credentials
If you don't need cookies/auth headers:
headers.set('Access-Control-Allow-Origin', '*');
// No credentials header at all
The Rule
Wildcard OR credentials. Never both.
Simple as that.
Have you made this mistake? Don't worry—so have I. And pretty much everyone else when they started.
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.