CORS Misconfigurations: The #1 API Security Mistake (And How to Fix It)

What is CORS?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which domains can make requests to your API. When misconfigured, it's an open door for attackers.

The 5 Most Common CORS Mistakes

1. Reflecting the Origin Header

The worst possible configuration — your server reflects back whatever origin the request comes from:

Access-Control-Allow-Origin: [attacker-site.com]
Access-Control-Allow-Credentials: true

This means any website can make authenticated requests to your API and read the response.

2. Using Wildcard with Credentials

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Browsers block this combination, but developers often work around it by reflecting the origin — which is even worse.

3. Trusting Null Origin

Access-Control-Allow-Origin: null

The null origin can be triggered from sandboxed iframes, redirects, and local files. Never trust it.

4. Partial Domain Matching

Checking if the origin "starts with" or "contains" your domain:

// BAD: attacker can use evil-example.com
if (origin.includes('example.com')) { ... }

5. Overly Broad Subdomain Trust

Access-Control-Allow-Origin: *.example.com

If any subdomain is compromised (old staging server, forgotten test app), your entire API is exposed.

How to Configure CORS Correctly

// Express.js
const allowedOrigins = ['https://app.example.com', 'https://example.com']

app.use(cors({
  origin: (origin, callback) => {
    if (!origin || allowedOrigins.includes(origin)) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  },
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
}))

Key rules:

Test Your CORS Configuration

Run a free ScanMyVibe scan to check your CORS policy. The scanner tests for all 5 misconfigurations above and provides AI-generated fix code for your specific framework.