Safeey.io
CORS

The CORS Setting That Quietly Leaks Your Users' Private Data

Almost every developer has hit this wall: you're building a frontend, it calls your API, and the browser throws a scary red error about CORS. You search for the fix, find a Stack Overflow answer that says "just add Access-Control-Allow-Origin: *," paste it in, the error disappears, and you move on.

That copy-paste is one of the most common security mistakes on the internet — and depending on your API, it can quietly hand your users' private data to any website they visit.

What CORS is actually protecting

By default, browsers enforce something called the same-origin policy: JavaScript running on evil.com is not allowed to read responses from yourbank.com. This is one of the most important security boundaries on the web. Without it, any site you visited could silently make requests to your email, your bank, your social accounts — using your logged-in session — and read the results.

CORS (Cross-Origin Resource Sharing) is the controlled way to relax that boundary. It lets your API say "these specific other origins are allowed to read my responses." Used correctly, it's essential and safe. Used carelessly, it tears down the very wall the browser built to protect your users.

How the wildcard goes wrong

Here's the subtle part. Access-Control-Allow-Origin: * means "any website may read my responses." For a genuinely public API that returns nothing sensitive — public exchange rates, public blog posts — that's fine.

But the danger appears when two things combine: a permissive CORS policy and an endpoint that returns data based on the user's session (their profile, their messages, their account). If your API reflects arbitrary origins back as allowed, and also sends credentials, then this can happen:

  1. Your user is logged into your app in one tab.
  2. They visit a malicious site in another tab.
  3. That malicious site's JavaScript makes a request to your API. The browser includes your user's session cookie automatically.
  4. Your API, seeing a permissive CORS policy, tells the browser "yes, this origin may read the response."
  5. The attacker's script reads your user's private data and ships it off.

The user did nothing but visit a web page. No click, no download, no phishing. That's how a lax CORS header turns into a silent data leak.

The especially dangerous pattern

The worst version isn't even the static wildcard — it's when an API reflects whatever origin asked back into the allow header, effectively trusting everyone, while also allowing credentials. This often happens because a developer wanted to "support all our subdomains" and reached for a reflect-the-origin shortcut. It looks like it works. It's an open door.

How to configure CORS safely

The principle is simple: be explicit and be stingy.

  • Allow-list specific origins. Name the exact domains that should be able to call your API — your own frontend, your known partners — and reject everything else. Never reflect arbitrary origins.
  • Don't use * on anything authenticated. If an endpoint returns user-specific data, its allowed origins must be a tight, known list.
  • Only allow credentials when you truly need to, and never in combination with a wildcard (browsers actually forbid that specific combination — but the reflect-origin trick sneaks around it, which is why it's so dangerous).
  • Treat CORS as an allow-list, not an error to silence. That red console error is the browser doing its job. The fix is to correctly permit your real frontend, not to permit the whole internet.

Where Safeey helps

CORS misconfiguration is exactly the kind of thing that's invisible until someone tests for it — which is why Safeey does. Safeey actively probes your endpoints with different origins to see how your CORS headers respond, and flags the dangerous patterns: wildcard-with-credentials, origin reflection, and overly permissive policies on sensitive endpoints. It's a check that takes seconds and can catch a data leak you'd never notice in normal use.

Scan your site and see how your API responds to a cross-origin request it shouldn't trust.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site