Saw this in 70% of Workers I've reviewed:
headers.set('Access-Control-Allow-Origin', '*');
headers.set('Access-Control-Allow-Credentials', 'true');
Looks harmless, right?
It's a security hole.
The Problem
When you use wildcard (*) with credentials, you're telling browsers:
"Allow ANY website to make authenticated requests to my API."
This means malicious sites can:
- Read user data
- Make requests on behalf of logged-in users
- Steal session tokens
The Fix
Option 1: Use specific origins
const allowedOrigins = ['https://yourdomain.com', 'https://app.yourdomain.com'];
const origin = request.headers.get('Origin');
if (allowedOrigins.includes(origin)) {
headers.set('Access-Control-Allow-Origin', origin);
headers.set('Access-Control-Allow-Credentials', 'true');
}
Option 2: Don't use credentials
If you don't need cookies/auth headers:
headers.set('Access-Control-Allow-Origin', '*');
// No credentials header at all
The Rule
Wildcard OR credentials. Never both.
Simple as that.
Have you made this mistake? Don't worry—so have I. And pretty much everyone else when they started.
Top comments (1)
My last salary was $8750, ecom only worked 12 hours a week. My longtime neighbor yr estimated $15,000 and works about 20 hours for seven days. I can't believe how blunt he was when I looked up his information. p1
This is what I do.................Www.Earn54.Com