Access-Control-Allow-Origin: * with Credentials: true is a critical CORS misconfiguration exposing sensitive data.
By Seoxpert Editorial · Published
This misconfiguration signals a serious security risk, as it can allow malicious sites to attempt credentialed requests. Although browsers block such requests, the underlying code may still be vulnerable to other attacks. Search engines may flag or penalize sites with security issues, impacting SEO and user trust.
Leaving this unresolved exposes your site to potential data leaks and security vulnerabilities.
An automated crawler detects this by sending requests and checking for both headers: Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true.
Problem: Express.js CORS misconfiguration
// BAD: Allows any origin with credentials
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Credentials', 'true');
next();
});Fix: Allowlist trusted origins only
// GOOD: Only allow trusted origins with credentials
const allowedOrigins = ['https://trusted.com'];
app.use((req, res, next) => {
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.header('Access-Control-Allow-Origin', origin);
res.header('Access-Control-Allow-Credentials', 'true');
}
next();
});Browsers block credentialed requests if the origin is '*', as it exposes sensitive data to any site.
Set it to a specific trusted origin from an allowlist, not '*', and only echo the origin if it matches.
Any site can send requests as if from a trusted origin, risking data leaks and attacks.
Run a scan to see if Dangerous CORS: Access-Control-Allow-Origin: * with Credentials: true affects your pages.
Scan my website →