Swift Cors Wildcard Origin Config
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Swift Vapor applications that use wildcard (*) origin settings. Using wildcard CORS origins allows any domain to make cross-origin requests to your API, which could enable malicious websites to access sensitive data.
Detection Strategy
• Identifies CORS middleware configuration objects created using CORSMiddleware.Configuration
• Examines the configuration arguments to detect wildcard (*) origin settings
• Reports a vulnerability when CORS is configured to allow requests from any origin (*) since this is an insecure practice that exposes APIs to cross-origin attacks
Vulnerable code example
import Vapor
func configureCORS(app: Application) {
let config = CORSMiddleware.Configuration(
allowedOrigin: .all, // Vulnerable: allows requests from ANY origin
allowedMethods: [.GET, .POST],
allowedHeaders: [.accept]
)...✅ Secure code example
import Vapor
func configureCORS(app: Application) {
let config = CORSMiddleware.Configuration(
allowedOrigin: .custom(["https://trusted-domain.com"]), // Secure: explicitly specify trusted origins
allowedMethods: [.GET, .POST],
allowedHeaders: [.accept, .authorization] // Added authorization for common auth needs
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.