FinishKitOpen CORS Policy
An API route sets Access-Control-Allow-Origin to * on routes that accept credentials, allowing any origin on the internet to call your API in a user's browser.
Typical error
Access-Control-Allow-Origin set to wildcard on authenticated routes
What this is
An open CORS policy like:
response.headers.set('Access-Control-Allow-Origin', '*')
response.headers.set('Access-Control-Allow-Credentials', 'true')Tells every browser, on every site, to treat your API as callable with the visitor's cookies. A malicious site can now make authenticated calls to your API on behalf of your users who visit it.
Note: browsers actually reject the combination of Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true. AI tools often ship the invalid combination, so auth appears broken in dev. The fix they choose is often "set origin to the request Origin header" which is just as bad.
Why AI tools ship this
CORS errors are common in local development. The quickest way to silence them is to wildcard the allowed origins. The fix propagates to production unchanged.
How to detect
Search for CORS header setters:
grep -rE "Access-Control-Allow-Origin" --include="*.ts" --include="*.tsx" .Anywhere you see * or a value derived from req.headers.origin, treat as a finding.
How to fix
Allow only your own origins. Maintain an allowlist:
const ALLOWED_ORIGINS = new Set([
'https://yourapp.com',
'https://www.yourapp.com',
'https://preview.yourapp.com',
])
export function corsHeaders(origin: string | null) {
if (origin && ALLOWED_ORIGINS.has(origin)) {
return {
'Access-Control-Allow-Origin': origin,
'Access-Control-Allow-Credentials': 'true',
'Vary': 'Origin',
}
}
return {}
}For public read-only APIs, * is fine, but never combine it with Access-Control-Allow-Credentials: true.
Related
- Glossary: auth bypass