Misconfigured Access-Control-Allow-Origin Header
Description
Cross-Origin Resource Sharing (CORS) is a security mechanism that controls which external domains can access resources from a web application. This application has a misconfigured CORS policy that fails to properly validate the Origin header before granting access.
The server reflects arbitrary Origin values in the Access-Control-Allow-Origin header while simultaneously setting Access-Control-Allow-Credentials: true. This combination allows any website to make authenticated requests on behalf of users and read the responses, effectively bypassing the browser's same-origin policy protections.
Remediation
Implement strict Origin validation by maintaining an allowlist of trusted domains. Do not reflect user-supplied Origin headers without validation.
Recommended approaches:
1. Define a strict allowlist of trusted origins:
// Example: Node.js/Express
const allowedOrigins = [
'https://trusted-domain.com',
'https://app.trusted-domain.com'
];
app.use((req, res, next) => {
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
}
next();
});2. If CORS is not required, remove the Access-Control-Allow-Origin header entirely to rely on default same-origin policy protections.
3. Never use wildcard (*) origins with credentials: The combination of Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true is invalid, but reflecting arbitrary origins has the same security impact.
4. Validate origins using exact string matching rather than regular expressions or substring matching to prevent bypass techniques.
5. Consider using alternative authentication methods such as API tokens in headers instead of cookies if cross-origin access is legitimately required.