Learn

CORS and cross-origin security monitoring

An Allow-Origin of * paired with Allow-Credentials is the classic foot-gun. Here is the short version of CORS done right, and what Barrion flags when it is not.

What it is

CORS (Cross-Origin Resource Sharing) is the browser mechanism that decides whether JavaScript on one origin can read responses from another. Servers opt in via Access-Control-Allow-Origin and related headers (Allow-Credentials, Allow-Headers, Allow-Methods, Max-Age). Misconfiguration, such as a wildcard origin combined with credentials, or reflecting any Origin back, lets malicious sites read authenticated data on behalf of your users.

Why it matters

Overly permissive CORS (e.g. Allow-Origin: *) or wrong credential handling can expose data to malicious sites. Tight, correct CORS is essential for APIs and authenticated endpoints. Monitoring catches drift and mistakes.

How Barrion checks it

Barrion inspects CORS-related response headers (Access-Control-Allow-Origin, Allow-Credentials, Allow-Headers, Allow-Methods, Max-Age). We report permissive or inconsistent settings, such as Access-Control-Allow-Origin: * combined with Allow-Credentials: true, or reflected Origin without an allow-list, and suggest safer configurations. All checks are passive.

Configuration examples

Nginx: allow a single trusted origin with credentials
add_header Access-Control-Allow-Origin "https://app.example.com" always;
add_header Access-Control-Allow-Credentials "true" always;

Verify it

curl -sI -H 'Origin: https://app.example.com' https://api.example.com | grep -i access-control
Run this check →Fix guide

References

Related

FAQ

Common questions.

Is Access-Control-Allow-Origin: * always wrong?
No. A wildcard is fine for genuinely public, unauthenticated endpoints (public JSON feeds, fonts, static APIs) because the browser refuses to combine it with credentials. It is wrong the moment the endpoint reads cookies, Authorization headers, or any per-user data.
Do I need credentials: include?
Only when the API depends on cookies or HTTP auth for the cross-origin call. If you authenticate with a bearer token in JavaScript, leave credentials at the default omit, set an exact-match Allow-Origin, and you avoid the entire credentialed-CORS class of bugs.
What is the difference between simple and preflighted requests?
A simple request uses GET, HEAD, or POST with only CORS-safelisted headers and one of three content types (text/plain, application/x-www-form-urlencoded, multipart/form-data), and the browser sends it directly. Anything else (custom headers, application/json, PUT, DELETE) triggers an OPTIONS preflight that must succeed before the real request goes out.
Why does reflecting the Origin header back qualify as a misconfiguration?
Reflecting whatever Origin the client sends, combined with Allow-Credentials: true, effectively allows any site on the internet to make authenticated requests to your API. Maintain an explicit allow-list and compare against it before echoing the value.