CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

CORS Misconfiguration

security CWE-942 OWASP A5:2021 CVSS 7.5 PHP 5.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). The term's detection_hints list semgrep, burpsuite, and owasp-zap as tools that can detect CORS misconfigurations. These are specialized security scanners (SAST/DAST), not default linters, placing this squarely at d5.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix says to audit every Access-Control-Allow-Origin header and reject unlisted origins rather than reflecting them. This involves replacing a pattern (origin reflection) with a safer alternative (allowlist validation), typically touching a small number of middleware or header-setting locations within one component.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). CORS configuration typically lives in middleware or a central API layer. While it applies to web/api contexts, it doesn't impose ongoing maintenance burden across the entire codebase — it's a localized policy decision that, once fixed, doesn't shape future development significantly.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states that developers believe 'CORS is a server-side security control' when in fact it's browser-enforced and doesn't protect against non-browser clients. This directly contradicts how developers familiar with server-side security patterns expect it to work. Additionally, common_mistakes show multiple gotchas (substring matching, credential behavior) that trap developers who assume CORS works like other security mechanisms.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-07 · reviewed by human

Also Known As

CORS bug Access-Control-Allow-Origin misconfiguration

TL;DR

Overly permissive Cross-Origin Resource Sharing headers allow malicious sites to read sensitive API responses.

Explanation

CORS misconfigurations arise when servers echo back arbitrary Origin headers in Access-Control-Allow-Origin, or set it to *, while also allowing credentials via Access-Control-Allow-Credentials: true. A malicious website can then make authenticated cross-origin requests and read the responses — stealing session data, CSRF tokens, or sensitive API responses. In PHP, explicitly whitelist allowed origins rather than reflecting input, and never combine wildcard origins with credentials.

Common Misconception

CORS is a server-side security control. CORS is browser-enforced — it does not protect APIs called by non-browser clients like curl or mobile apps. Server-side authentication is the real protection.

Why It Matters

A misconfigured CORS policy turns the browser's same-origin protection off, allowing a malicious site to make authenticated API calls on behalf of the victim.

Common Mistakes

  • Reflecting the incoming Origin header back as Access-Control-Allow-Origin without validating against a whitelist.
  • Sending Access-Control-Allow-Origin: * alongside Access-Control-Allow-Credentials: true — browsers reject this but many developers don't notice until a browser change.
  • Whitelisting by substring check — an attacker registers evil-yoursite.com.
  • Allowing credentials in CORS for non-sensitive endpoints, then adding sensitive data to those endpoints later.

Code Examples

✗ Vulnerable 
header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); header('Access-Control-Allow-Credentials: true');
✓ Fixed 
$allowed = ['https://trusted.example.com']; if (in_array($_SERVER['HTTP_ORIGIN'], $allowed)) { header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); }
Added 15 Mar 2026
Edited 22 Mar 2026
Views 31

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 2 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 8 SEMrush 4 Ahrefs 2 Unknown AI 2 Google 1
Also referenced
Sensitive Data Exposure 36 Cross-Site Request Forgery (CSRF) 32
How they use it
crawler 25
Related categories
security 4.6k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Audit every Access-Control-Allow-Origin header — reject requests from unlisted origins rather than reflecting them back
📦 Applies To
PHP 5.0+ web api
🔗 Prerequisites
🔍 Detection Hints
header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']) reflecting origin without allowlist validation
Auto-detectable: ✓ Yes semgrep burpsuite owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File Tests: Update
CWE-942 CWE-183
✓ schema.org compliant