What is CORS?

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to allow or restrict web applications running at one origin (domain) to interact with resources from another origin. It is designed to prevent unauthorized access to resources and protect against cross-site request forgery (CSRF) attacks.

Scenarios Demonstrating CORS Security:

  • Normal Scenario: Secure CORS Policy

Imagine you visit a banking website where you have logged in securely. This website might use CORS to restrict access to its APIs from other origins (domains). If another website attempts to make requests to the banking API on your behalf from a different domain, CORS policies enforced by the browser would block these requests. This prevents unauthorized actions and protects your banking data from being accessed by malicious sites.

  • Vulnerable Scenario: Insecure CORS Policy

Now, consider the same banking website, but this time it’s vulnerable to CORS misconfiguration. If the CORS policy is improperly set to allow any origin, a malicious website could exploit this vulnerability. When you visit a malicious site while logged into your banking account, it could make requests to the banking API on your behalf without your knowledge. This could allow the attacker to perform unauthorized actions, such as transferring funds or accessing sensitive information, compromising your banking data and potentially leading to significant financial loss.

CORS Vulnerability Example:

Normal Request Scenario:

Let’s imagine you are visiting a secure banking website with the domain This website uses CORS to control who can access its APIs.

When you log in to your bank account and perform an action like viewing your account balance, your browser sends a request like this:

GET /account-balance HTTP/1.1

The server responds:

HTTP/1.1 200 OK

Since the Origin matches the Access-Control-Allow-Origin, your browser allows the response to be accessed by the script on and not any outside or malicious website.

Vulnerable Request Scenario

Now, let’s consider what happens if has a misconfigured CORS policy that allows requests from any origin. An attacker sets up a malicious website with the domain

When you visit, the malicious site can send a request to on your behalf:

GET /account-balance HTTP/1.1
Cookie: sessionid=your-session-cookie

If responds with:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true

This response means that allows to access your account balance data and includes your session cookie in the request. The malicious site can now view your private account data without your knowledge.

CORS vulnerabilities can pose several risks:

  • Unauthorized data access: If CORS policies are not properly configured, sensitive data meant to be restricted to certain origins may be accessed by unauthorized parties.
  • Cross-Site Request Forgery (CSRF): Improper CORS settings can lead to CSRF attacks where malicious websites trick users into unknowingly performing actions on other sites where they are authenticated.
  • Data theft: Attackers could exploit relaxed CORS policies to steal sensitive information, manipulate data, or perform actions on behalf of authenticated users.

Remediation for CORS Vulnerabilities:

To mitigate CORS vulnerabilities and protect sensitive data, follow these best practices:

  1. Restrict Allowed Origins

Only allow trusted origins to access your resources. Avoid using the wildcard * unless absolutely necessary, and never use it for sensitive endpoints.

  1. Avoid Allowing Credentials with Wildcard Origins

Never use Access-Control-Allow-Credentials: true with Access-Control-Allow-Origin: *. This combination can lead to severe security issues.

Correct Example:

Access-Control-Allow-Credentials: true
  1. Use Preflight Requests for Sensitive Operations

Ensure that sensitive endpoints require a preflight request by setting appropriate headers for methods like POST, PUT, DELETE, etc.


Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization


In conclusion, understanding and correctly implementing CORS policies is crucial for maintaining web application security. Misconfigured CORS settings can lead to severe vulnerabilities, such as unauthorized data access, CSRF attacks, and data theft. By restricting allowed origins, avoiding risky configurations, and ensuring sensitive operations require preflight requests, you can significantly mitigate these risks. Proper CORS implementation not only protects user data but also fortifies the overall security posture of your web applications.

Share this Doc


Or copy link