Javascript Cors Allow Any Origin
Description
Detects insecure CORS configurations in NestJS applications that allow requests from any origin (*). This misconfiguration can enable malicious websites to make unauthorized requests to your API endpoints, potentially leading to data theft or unauthorized actions.
Detection Strategy
• Identifies NestJS CORS configuration settings in code
• Checks if CORS is configured to allow any origin through wildcards (*) or returning the request origin
• Reports a vulnerability when CORS is set to accept all origins without proper origin validation
• Examines both global CORS settings and controller-level CORS decorators
Vulnerable code example
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
async function bootstrap() {
// Vulnerable: Enables CORS with default settings (allows all origins)
const app = await NestFactory.create(AppModule);
app.enableCors();
...✅ Secure code example
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
async function bootstrap() {
// Safe: Explicitly defines allowed origins and security settings
const app = await NestFactory.create(AppModule);
app.enableCors({
origin: ['https://trusted-domain.com'], // Only allow specific trusted domain...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.