High severity

How to fix CORS with credentials allowed for any origin

Your API sends `Access-Control-Allow-Credentials: true` alongside a wildcard or overly permissive Allow-Origin. Modern browsers block this combination, but the intent is still dangerous — if a proxy or middleware rewrites the header, you end up with any site being able to make authenticated requests on behalf of logged-in users. Fix it by explicitly reflecting the Origin from an allowlist, and only setting Allow-Credentials when the origin matches.

Why it matters

CORS with credentials is how browsers enforce that cookies are only sent to trusted origins. A misconfiguration here means a user visiting `evil.com` while logged into your app could have their session used to fetch their data.

How to check

  1. 01Inspect a preflight OPTIONS response from your API.
  2. 02If Allow-Origin is `*` AND Allow-Credentials is `true`, the config is broken.
  3. 03Also check if Allow-Origin reflects ANY Origin (e.g., the server sets it to whatever came in).

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Reflect only allowed origins. Do NOT blindly echo the Origin header.

const ALLOWED = ['https://app.example.com'];

function corsHeaders(origin: string | null): Headers {
  const h = new Headers();
  if (origin && ALLOWED.includes(origin)) {
    h.set('Access-Control-Allow-Origin', origin);
    h.set('Access-Control-Allow-Credentials', 'true');
    h.set('Vary', 'Origin');
  }
  return h;
}

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My API has an Access-Control-Allow-Credentials: true header with an overly permissive Access-Control-Allow-Origin. Implement a strict allowlist of my known frontend origins. Only set Allow-Credentials when the Origin matches a known entry. Never reflect the Origin header without checking it.

FAQ

Frequently asked questions

I just want to test from localhost.
Add `http://localhost:3000` to the allowlist for dev. Do not leave a wildcard in production.

Related fix guides

Fix these too

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

Read more

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Read more

Learn the concepts

Glossary

Cross-Origin Resource Sharing

CORS is a browser mechanism that controls which websites can call your API. Misconfigurations can open your app to cross-site attacks.

Read more

Cross-Site Request Forgery

CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.

Read more

Free tools

Check this yourself

CORS checker

Is your API open to any website? Find out now.

Read more

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.