Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls how web pages on one domain can request resources from a different domain. By default, browsers enforce a same-origin policy that prevents JavaScript on one site from reading responses from another site. CORS relaxes this restriction in a controlled way by allowing servers to specify which origins are permitted to access their resources.
How It Works
When JavaScript on https://example.com makes a request to https://api.other.com, the browser first checks whether the request is "simple" (basic GET/POST with standard headers) or requires a preflight check. For non-simple requests, the browser sends an OPTIONS request to the target server asking which origins, methods, and headers are allowed. The server responds with CORS headers indicating its policy.
The key CORS headers are: Access-Control-Allow-Origin (which origins can access the resource), Access-Control-Allow-Methods (which HTTP methods are permitted), Access-Control-Allow-Headers (which custom headers are allowed), and Access-Control-Allow-Credentials (whether cookies and authentication headers are included). The browser enforces these policies, blocking responses that violate them.
CORS misconfigurations are a frequent security finding. The most dangerous is dynamically reflecting the request's Origin header in the Access-Control-Allow-Origin response while also setting Access-Control-Allow-Credentials: true. This effectively disables the same-origin policy entirely, allowing any website to make authenticated requests to the vulnerable server and read the responses. An attacker hosting a malicious page can steal sensitive data from users who visit it while logged into the vulnerable application.
Why It Matters
Misconfigured CORS policies can turn a protected API into an open one. Security assessments test CORS configurations by sending requests with various Origin headers to identify overly permissive policies. A properly configured CORS policy explicitly allowlists only the specific origins that need access, rather than reflecting arbitrary origins or using wildcards with credentials.
Need your application tested? Get in touch.