HIGHCWE-942API Security
CORS Wildcard Misconfiguration
Description
Your API responds with Access-Control-Allow-Origin: *, allowing any website to make authenticated requests to your API.
How Vezraa Detects It
We send an OPTIONS preflight request and check the Access-Control-Allow-Origin response header.
Real-World Impact
Malicious websites can make API requests using the victim's cookies (if credentials are included), leading to data theft and account actions.
Fix Example
// BAD — allows any origin
app.use(cors({ origin: '*' }));
// GOOD — restrict to your domain
app.use(cors({ origin: 'https://myapp.com' }));Affected Stacks
ExpressFastifyNext.js APIAll backends