Question 1

What is a CORS misconfiguration vulnerability?

Accepted Answer

A CORS misconfiguration occurs when a server sets overly permissive Access-Control-Allow-Origin headers — such as reflecting any origin, using wildcards with credentials, or trusting null origins. This allows malicious websites to make authenticated cross-origin requests and read responses containing sensitive data like API keys, user profiles, or session tokens that should be restricted by the same-origin policy.

Question 2

How do I securely configure CORS headers?

Accepted Answer

Maintain a strict allowlist of trusted origins rather than reflecting the Origin header or using wildcards. Never combine Access-Control-Allow-Credentials: true with a wildcard origin. Avoid trusting the null origin. Limit allowed methods and headers to only what is necessary. Validate the Origin header server-side before including it in the response. Regularly audit your CORS configuration, especially on endpoints that return sensitive data.

CORS Exploit

Challenges

Frequently Asked Questions