Python Cors Allow All Origins Fastapi
Description
Detects insecure CORS configuration in FastAPI applications where all origins are allowed using a wildcard (*). This configuration bypasses Same-Origin Policy restrictions and allows any domain to make cross-origin requests to the API, potentially enabling malicious websites to interact with the application.
Detection Strategy
• Check if CORS is configured in FastAPI application by looking for CORS middleware or configuration
• Identify if the 'allow_origins' parameter is set with a wildcard (*) value
• Verify the CORS configuration is applied to a FastAPI application instance
Vulnerable code example
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
app = FastAPI()
# Insecure CORS configuration allowing all origins with credentials
app.add_middleware(
CORSMiddleware,...✅ Secure code example
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
app = FastAPI()
# Define specific allowed origins
allowed_origins = [
"http://localhost:8080",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.