What is CORS and Why It Matters for Web Security

If you've ever seen a browser console error that says "Access to fetch has been blocked by CORS policy," you've encountered Cross-Origin Resource Sharing. CORS is one of the most misunderstood web security mechanisms, and misconfiguring it is one of the most common vulnerabilities in modern web applications — especially those built with AI coding tools.

What is CORS?

CORS (Cross-Origin Resource Sharing) is a security mechanism built into web browsers that controls which websites can make requests to your server. By default, browsers enforce the Same-Origin Policy, which prevents web pages from making requests to a different domain than the one that served the page.

CORS relaxes this restriction in a controlled way. When your frontend (running on app.example.com) needs to make API calls to your backend (running on api.example.com), CORS headers tell the browser that this cross-origin request is permitted.

How CORS Works

When a browser makes a cross-origin request, it includes an Origin header indicating where the request came from. The server responds with CORS headers that tell the browser whether the request is allowed:

• Access-Control-Allow-Origin — which origins are permitted
• Access-Control-Allow-Methods — which HTTP methods are allowed
• Access-Control-Allow-Headers — which request headers are permitted
• Access-Control-Allow-Credentials — whether cookies can be included

For complex requests, the browser first sends a preflight request (an OPTIONS request) to check whether the actual request is permitted.

Common CORS Misconfigurations

Wildcard Origin with Credentials

The most dangerous misconfiguration is setting Access-Control-Allow-Origin: * on endpoints that handle authenticated requests. While browsers actually block this specific combination (wildcard + credentials), many developers work around it by reflecting the Origin header instead — which is equally dangerous.

Origin Reflection

A common pattern in AI-generated code is reflecting the request's Origin header back in the Access-Control-Allow-Origin response:

// VULNERABLE: Origin reflection
app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', req.headers.origin);
  res.header('Access-Control-Allow-Credentials', 'true');
  next();
});
// SECURE: Explicit origin whitelist
const allowedOrigins = ['https://app.example.com', 'https://staging.example.com'];
app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (allowedOrigins.includes(origin)) {
    res.header('Access-Control-Allow-Origin', origin);
    res.header('Access-Control-Allow-Credentials', 'true');
  }
  next();
});

Null Origin Allowance

Some configurations allow the null origin, which can be exploited from sandboxed iframes and file:// URLs.

Why CORS Matters for Security

A misconfigured CORS policy can allow any website to make authenticated requests to your API on behalf of your users. An attacker could create a malicious website that, when visited by your users, silently reads their data from your API, performs actions as the user, and exfiltrates sensitive information.

Configuring CORS Correctly

The key principles for secure CORS configuration are to never use wildcard origins on authenticated endpoints, explicitly whitelist allowed origins, only enable credentials when necessary, minimize allowed methods and headers, and set appropriate max-age for preflight caching.

For Next.js API routes:

// app/api/data/route.ts
export async function GET(request) {
  const origin = request.headers.get('origin');
  const allowedOrigins = ['https://yourdomain.com'];
const headers = new Headers();
  if (allowedOrigins.includes(origin)) {
    headers.set('Access-Control-Allow-Origin', origin);
    headers.set('Access-Control-Allow-Credentials', 'true');
  }
return Response.json({ data: 'secure' }, { headers });
}

Scanning for CORS Misconfigurations

Vuln0x's CORS Configuration scanner (1 credit) tests your application for wildcard origins, origin reflection vulnerabilities, credential exposure, and preflight request handling issues. It identifies the specific misconfigurations and provides remediation guidance tailored to your framework.

Check your CORS configuration: Scan free with Vuln0x — 20 credits on signup, no credit card required.