Go Cors Wildcard With Credentials
Description
Detects insecure CORS configurations in Go Gin applications where Access-Control-Allow-Origin header is set to a wildcard (*) while credentials are allowed. This combination can expose sensitive data to malicious websites by allowing any origin to make authenticated requests to the application.
Detection Strategy
• Check for header setting operations in Go code that configure Access-Control-Allow-Origin
• Verify if the header value is set to a wildcard (*) or other unsafe origin patterns
• Flag the configuration as vulnerable when Access-Control-Allow-Origin is set to an unsafe value that allows all origins
Vulnerable code example
package main
import "github.com/gin-gonic/gin"
func configureCORS() gin.HandlerFunc {
return func(c *gin.Context) {
// Vulnerable: Using wildcard origin '*' with Allow-Credentials true is insecure
c.Header("Access-Control-Allow-Origin", "*")...✅ Secure code example
package main
import "github.com/gin-gonic/gin"
func configureCORS() gin.HandlerFunc {
return func(c *gin.Context) {
// Safe: Specify exact allowed origin instead of wildcard when using credentials
origin := c.Request.Header.Get("Origin")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.