ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

CORS Misconfiguration

medium
CWE-942Configuration

What is Bad CORS?

Cross-Origin Resource Sharing (CORS) misconfigurations allow unauthorised websites to make authenticated requests to your API and read the responses.

How it works

The application sets Access-Control-Allow-Origin to a wildcard (*) or reflects the requesting origin without validation. An attacker's site can then make cross-origin requests with the victim's cookies and read sensitive data.

Impact

Theft of sensitive data from authenticated API responses, including personal information, financial data, and session tokens.

How ShieldReport detects this

ShieldReport sends requests with various Origin headers to detect reflected origins, wildcard policies, and null origin acceptance.

How to fix it

Explicitly whitelist allowed origins. Never reflect the Origin header without validation. Don't use wildcard (*) with credentialed requests. Validate the Origin header server-side.

Tags

corsbrowserapiconfiguration

Is your site vulnerable to Bad CORS?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed