Back to Glossary

Glossary Term

CORS Misconfiguration

Overly permissive cross-origin rules that allow untrusted domains to read protected responses or abuse sessions.

1 min read

Share this definition

Post it to your feed or send it to teammates.

What it is

Cross-Origin Resource Sharing (CORS) is a browser-enforced policy that governs how external origins can interact with your website or APIs. A CORS misconfiguration happens when the policy is too broad—such as using wildcard (*) origins, dynamically reflecting request origins, or combining permissive origins with credentialed requests—allowing unauthorized domains to access responses meant for trusted apps.

Why it matters

If attackers can load your authenticated endpoints from their own domain, they can:

  • Read sensitive responses returned to logged-in users
  • Piggyback on valid sessions using stored cookies or tokens
  • Enumerate or abuse internal APIs that were never meant to be public

Because browsers automatically include cookies or Authorization headers on credentialed cross-origin requests, a lax policy can expose customer data without any malware or phishing.

How to reduce risk

  • Avoid wildcard origins on any endpoint that relies on authentication or returns sensitive data
  • Explicitly maintain an allowlist of trusted domains and deployment environments
  • Review usage of Access-Control-Allow-Credentials and block credentialed requests from non-production origins
  • Continuously audit front-end apps and APIs to ensure new routes inherit safe defaults