Common CORS Security Vulnerabilities

Common CORS Security Vulnerabilities

Vulnerability 1: Reflecting Origin Header

// INSECURE - Never do this!
app.use((req, res, next) => {
    // Reflects any origin - extremely dangerous
    res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
    res.setHeader('Access-Control-Allow-Credentials', 'true');
    next();
});

// SECURE - Validate origin against whitelist
app.use((req, res, next) => {
    const allowedOrigins = ['https://app.example.com', 'https://trusted.com'];
    const origin = req.headers.origin;
    
    if (allowedOrigins.includes(origin)) {
        res.setHeader('Access-Control-Allow-Origin', origin);
        res.setHeader('Access-Control-Allow-Credentials', 'true');
    }
    next();
});

Vulnerability 2: Wildcards with Credentials

// INVALID - Browsers reject this combination
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Credentials', 'true');

// SECURE - Specific origin with credentials
res.setHeader('Access-Control-Allow-Origin', 'https://app.example.com');
res.setHeader('Access-Control-Allow-Credentials', 'true');

Vulnerability 3: Trusting Null Origin

// INSECURE - Null origin can be spoofed
if (origin === 'null' || allowedOrigins.includes(origin)) {
    res.setHeader('Access-Control-Allow-Origin', origin);
}

// SECURE - Never trust null origin
if (origin && origin !== 'null' && allowedOrigins.includes(origin)) {
    res.setHeader('Access-Control-Allow-Origin', origin);
}