CORS misconfiguration occurs when Access-Control-Allow-Origin is set too permissively, allowing unauthorized domains to make requests to your API.
Scan for This VulnerabilityCross-Origin Resource Sharing (CORS) controls which domains can access your API. Misconfigured CORS (especially using wildcards with credentials) allows malicious websites to make authenticated requests on behalf of your users, stealing data or performing actions.
Data theft from authenticated APIs
Unauthorized actions performed via user sessions
Cross-site data leakage
API abuse from malicious sites
Only allow known, trusted domains.
// Express.js example
const corsOptions = {
origin: ['https://myapp.com', 'https://admin.myapp.com'],
credentials: true
};Browsers block this combination, but misconfigured servers may allow it.
// BAD
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
// GOOD - specific origin
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Credentials: trueIf dynamically setting origin, validate against allowlist.
const allowedOrigins = ['https://myapp.com'];
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
}VAS automatically scans for cors misconfiguration and provides detailed remediation guidance.
Run Security Scan