Security Headers

How to fix CORS misconfiguration (overly permissive)

Name: Barrion
Availability: InStock
Author: Barrion

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

CORS (Cross-Origin Resource Sharing) is controlled by response headers like Access-Control-Allow-Origin. A misconfiguration might allow any origin (*) or reflect the request origin without checking allowlists. That can let other sites read or abuse your API from the browser.

Why it matters

Overly permissive CORS can expose your API to any website. If you use credentials (cookies, auth headers), Allow-Origin must be a specific origin, not *. Fixing CORS limits which sites can call your API from the browser and is a common audit finding.

How it is exploited

When Access-Control-Allow-Origin reflects the request Origin and Allow-Credentials is true, attacker.example can fetch your authenticated API endpoints from a logged-in user's browser, read the JSON response, and exfiltrate session data.

How to fix it

See what you're sending. Run Barrion's CORS check or inspect the Access-Control-Allow-Origin and related headers in your API responses. Note if you're using * or reflecting the request origin for every request.
Define allowed origins. List the origins that should be allowed to call your API (e.g. https://app.example.com, https://admin.example.com). Avoid * if your API is used with credentials or returns sensitive data.
Set the header from an allowlist. In your app or reverse proxy, check the request Origin against your allowlist. If it matches, send Access-Control-Allow-Origin with that origin (one value only). If you need credentials, also set Access-Control-Allow-Credentials: true and ensure Allow-Origin is not *.
Verify. Re-run the CORS check from an allowed and a disallowed origin. Confirm that only allowed origins get access and that credentials behave as intended.

Examples by platform

Nginx

if ($http_origin ~* "^https://(app|admin)\.example\.com$") {
 add_header Access-Control-Allow-Origin $http_origin;
}

Node.js (Express)

const allowed = ['https://app.example.com'];
app.use((req, res, next) => {
 const origin = req.headers.origin;
 if (allowed.includes(origin)) res.setHeader('Access-Control-Allow-Origin', origin);
 next();
});

How to verify the fix

Probe with an untrusted Origin and confirm the API does not reflect it back:

curl -sI -H "Origin: https://evil.example" https://api.example.com

References

Check your site for this finding.

Run Barrion's free security headers check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides