Seoxpert.io
Get started
criticalSecurity

Dangerous CORS: Access-Control-Allow-Origin: * with Credentials: true

Access-Control-Allow-Origin: * with Credentials: true is a critical CORS misconfiguration exposing sensitive data.

By Seoxpert Editorial · Published

Why it matters

This misconfiguration signals a serious security risk, as it can allow malicious sites to attempt credentialed requests. Although browsers block such requests, the underlying code may still be vulnerable to other attacks. Search engines may flag or penalize sites with security issues, impacting SEO and user trust.

Impact

Leaving this unresolved exposes your site to potential data leaks and security vulnerabilities.

How it's detected

An automated crawler detects this by sending requests and checking for both headers: Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true.

Common causes

  • Using wildcard '*' for Access-Control-Allow-Origin with credentials enabled
  • Reflecting the Origin header without validation
  • Lack of a proper CORS allowlist
  • Misunderstanding CORS security requirements

How to fix it

Replace Access-Control-Allow-Origin: * with a specific list of trusted origins. On the server, check the incoming Origin header against this allowlist and only echo it back if it matches. Never reflect the Origin header directly without validation. Ensure Access-Control-Allow-Credentials: true is only set for trusted origins.

Code examples

Problem: Express.js CORS misconfiguration

// BAD: Allows any origin with credentials
app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Credentials', 'true');
  next();
});

Fix: Allowlist trusted origins only

// GOOD: Only allow trusted origins with credentials
const allowedOrigins = ['https://trusted.com'];
app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (allowedOrigins.includes(origin)) {
    res.header('Access-Control-Allow-Origin', origin);
    res.header('Access-Control-Allow-Credentials', 'true');
  }
  next();
});

FAQ

Why can't I use Access-Control-Allow-Origin: * with credentials?

Browsers block credentialed requests if the origin is '*', as it exposes sensitive data to any site.

How should I set Access-Control-Allow-Origin when using credentials?

Set it to a specific trusted origin from an allowlist, not '*', and only echo the origin if it matches.

What happens if I reflect the Origin header without validation?

Any site can send requests as if from a trusted origin, risking data leaks and attacks.

Found this issue on your site?

Run a scan to see if Dangerous CORS: Access-Control-Allow-Origin: * with Credentials: true affects your pages.

Scan my website →