Inspetor de Política CORS

Analise cabeçalhos CORS para misconfigurações e wildcards perigosos

Inspecting CORS Policies for Security Misconfigurations

Cross-Origin Resource Sharing (CORS) is the browser mechanism that controls which external domains can make requests to your API. A properly configured CORS policy protects sensitive endpoints from unauthorized cross-origin access while allowing legitimate frontend applications to communicate with your backend. Misconfigurations — wildcard origins combined with credentials, overly permissive method lists, or exposing sensitive response headers — create attack surfaces that enable credential theft, data exfiltration, and cross-site request forgery.

The CORS Policy Inspector analyzes your Access-Control headers to detect dangerous configurations, overly permissive allowances, and common mistakes that weaken your API's security posture. Each finding explains the specific risk, provides the current misconfigured value, and recommends a secure alternative. All analysis happens entirely in your browser.

Dangerous Wildcard and Credential Combinations

The most critical CORS misconfiguration is combining wildcard origins with credential support:

  • Access-Control-Allow-Origin: * with credentials: Browsers block this combination, but servers that dynamically reflect the Origin header while also sending Access-Control-Allow-Credentials: true effectively create the same vulnerability.
  • Origin reflection: Servers that echo back any Origin header as the Allow-Origin value — this passes browser CORS checks but allows any website to make authenticated requests to your API.
  • Null origin allowance: Allowing Origin: null (sent by sandboxed iframes and redirected requests) while supporting credentials enables attacks from contexts that should be untrusted.

The inspector detects these patterns and recommends explicit origin allowlists that enumerate only the domains that legitimately need cross-origin access to your API.

Method and Header Exposure Risks

CORS policies control which HTTP methods and response headers are accessible cross-origin:

  • Overly permissive methods: Allowing DELETE, PATCH, or custom methods when only GET and POST are needed expands the attack surface unnecessarily.
  • Sensitive exposed headers: Access-Control-Expose-Headers listing headers like Authorization, Set-Cookie, or custom session identifiers makes them readable by cross-origin JavaScript.
  • Long preflight cache: Access-Control-Max-Age values exceeding 86400 seconds mean CORS policy changes take over 24 hours to propagate to clients.

The principle of least privilege applies: only allow the methods, headers, and origins that your application actually requires for legitimate cross-origin communication.

Preflight Requests and Performance

Non-simple CORS requests trigger preflight OPTIONS requests that add latency. Understanding what triggers preflight helps optimize performance:

  • Custom headers: Any header beyond Accept, Content-Type (with simple values), and Accept-Language triggers preflight
  • Non-simple methods: PUT, DELETE, PATCH all require preflight
  • Content-Type beyond simple: application/json triggers preflight (only form-encoded and multipart are "simple")

The inspector identifies configurations where the preflight cache (Access-Control-Max-Age) is missing or too short, causing unnecessary OPTIONS requests that double the latency of every cross-origin API call.

Code Examples

CORS Headers Analysis Example

# Headers to analyze:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: *
Access-Control-Expose-Headers: Authorization, X-Session-ID
Access-Control-Max-Age: 604800

# Inspector findings:
# - CRITICAL: Wildcard origin with credentials — browsers block this but
#   the server intent suggests origin reflection may be happening
# - HIGH: Exposing Authorization header cross-origin enables token theft
# - WARN: All methods allowed — restrict to actually needed methods
# - WARN: Wildcard allowed headers — specify exactly which headers are needed
# - INFO: Max-Age 7 days — CORS policy changes will be slow to propagate

Standards & Specifications