Permissive CORS

Access-Control-Allow-Origin: *, cors() with no config, wildcard + credentials escalated to critical

warningSecuritycors-config

Why this matters

A wildcard CORS policy lets any website make authenticated requests to your API. This enables CSRF-style attacks where a malicious site can read your users' data.

✗ Bad

export async function GET(req: Request) {
  return new Response(JSON.stringify(data), {
    headers: {
      "Access-Control-Allow-Origin": "*",
    },
  });
}

✓ Good

const ALLOWED_ORIGINS = [
  "https://myapp.com",
  "https://staging.myapp.com",
];

export async function GET(req: Request) {
  const origin = req.headers.get("origin") ?? "";
  const cors = ALLOWED_ORIGINS.includes(origin)
    ? origin : "";
  return new Response(JSON.stringify(data), {
    headers: {
      "Access-Control-Allow-Origin": cors,
    },
  });
}

How to fix

Replace wildcard '*' with an explicit allowlist of trusted origins. Validate the Origin header against the list on every request.

All rules