Javascript Cors Wildcard Origin Header
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Express.js applications where wildcard (*) origins are allowed. Using wildcard CORS origins permits requests from any domain, which can expose sensitive data to malicious websites and enable cross-site attacks.
Detection Strategy
• Identifies Express.js CORS configuration settings in the application code
• Checks for use of wildcard (*) in CORS origin settings or headers
• Reports a vulnerability when CORS is configured to accept requests from any origin using wildcards
• Examines both middleware setup and direct response header configurations that set Access-Control-Allow-Origin
Vulnerable code example
const express = require('express');
const app = express();
// CORS middleware
const cors = (req, res, next) => {
res.header('Access-Control-Allow-Origin', '*'); // Vulnerable: allows any origin to access the API
res.header('Access-Control-Allow-Methods', 'GET, POST');
next();...✅ Secure code example
const express = require('express');
const app = express();
// CORS middleware with whitelist of allowed origins
const corsMiddleware = (req, res, next) => {
const allowedOrigins = ['https://trusted-site.com', 'https://api.trusted-site.com']; // Only allow specific origins
const origin = req.headers.origin;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.