Inspetor de Política CORS
Analise cabeçalhos CORS para misconfigurações e wildcards perigosos
Inspecting CORS Policies for Security Misconfigurations
Cross-Origin Resource Sharing (CORS) is the browser mechanism that controls which external domains can make requests to your API. A properly configured CORS policy protects sensitive endpoints from unauthorized cross-origin access while allowing legitimate frontend applications to communicate with your backend. Misconfigurations — wildcard origins combined with credentials, overly permissive method lists, or exposing sensitive response headers — create attack surfaces that enable credential theft, data exfiltration, and cross-site request forgery.
The CORS Policy Inspector analyzes your Access-Control headers to detect dangerous configurations, overly permissive allowances, and common mistakes that weaken your API's security posture. Each finding explains the specific risk, provides the current misconfigured value, and recommends a secure alternative. All analysis happens entirely in your browser.
Dangerous Wildcard and Credential Combinations
The most critical CORS misconfiguration is combining wildcard origins with credential support:
-
Access-Control-Allow-Origin: *with credentials: Browsers block this combination, but servers that dynamically reflect the Origin header while also sendingAccess-Control-Allow-Credentials: trueeffectively create the same vulnerability. - Origin reflection: Servers that echo back any Origin header as the Allow-Origin value — this passes browser CORS checks but allows any website to make authenticated requests to your API.
-
Null origin allowance: Allowing
Origin: null(sent by sandboxed iframes and redirected requests) while supporting credentials enables attacks from contexts that should be untrusted.
The inspector detects these patterns and recommends explicit origin allowlists that enumerate only the domains that legitimately need cross-origin access to your API.
Method and Header Exposure Risks
CORS policies control which HTTP methods and response headers are accessible cross-origin:
-
Overly permissive methods: Allowing
DELETE,PATCH, or custom methods when onlyGETandPOSTare needed expands the attack surface unnecessarily. -
Sensitive exposed headers:
Access-Control-Expose-Headerslisting headers likeAuthorization,Set-Cookie, or custom session identifiers makes them readable by cross-origin JavaScript. -
Long preflight cache:
Access-Control-Max-Agevalues exceeding 86400 seconds mean CORS policy changes take over 24 hours to propagate to clients.
The principle of least privilege applies: only allow the methods, headers, and origins that your application actually requires for legitimate cross-origin communication.
Preflight Requests and Performance
Non-simple CORS requests trigger preflight OPTIONS requests that add latency. Understanding what triggers preflight helps optimize performance:
- Custom headers: Any header beyond Accept, Content-Type (with simple values), and Accept-Language triggers preflight
- Non-simple methods: PUT, DELETE, PATCH all require preflight
- Content-Type beyond simple:
application/jsontriggers preflight (only form-encoded and multipart are "simple")
The inspector identifies configurations where the preflight cache (Access-Control-Max-Age)
is missing or too short, causing unnecessary OPTIONS requests that double the latency of every
cross-origin API call.
Code Examples
CORS Headers Analysis Example
# Headers to analyze:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: Authorization, X-Session-ID
Access-Control-Max-Age: 604800
# Inspector findings:
# - CRITICAL: Wildcard origin with credentials — browsers block this but
# the server intent suggests origin reflection may be happening
# - HIGH: Exposing Authorization header cross-origin enables token theft
# - WARN: All methods allowed — restrict to actually needed methods
# - WARN: Wildcard allowed headers — specify exactly which headers are needed
# - INFO: Max-Age 7 days — CORS policy changes will be slow to propagateStandards & Specifications
- Fetch Living Standard — CORS Protocol — Defines the CORS protocol behavior including preflight, credentials, and header handling