Published in

2 min read

Just now

What’s CORS Misconfiguration !?

CORS, which stands for Cross-Origin Resource Sharing, is a security feature implemented by web browsers to control which web domains can access resources hosted on another domain. This security feature is important because it helps prevent potential security vulnerabilities that can arise when web pages make requests to different domains.

A CORS misconfiguration occurs when a web application or server is not properly configured to handle CORS requests. This can lead to security vulnerabilities and unexpected behavior in web applications.

This message means the response failed yet you are still able to see the returned data if you go to the Network tab

Browser policy to check CORS:

  • A different domain → redacted.tldattacker.tld
  • A different subdomain → redacted.tldsub.redacted.tld
  • A different port → redacted.tld:443redacted.tld:3001
  • A different protocol → https://redacted.tldhttp://redacted.tld

Access-Control-Allow-(*) Response’s Headers:

  • Access-Control-Allow-Origin
    – Indicate what client domains are allowed to access its resources.
    * → allow any domain
    https://redacted.tld → A fully qualified domain name
  • Access-Control-Allow-Credentials
    – If your server supports authentication via cookies. The only valid value for this case is true.
  • Access-Control-Allow-Headers
    – Provides a comma-separated list of request header values the server is willing to support.
  • Access-Control-Expose-Headers
    – A list of headers that will be present in the actual response to the call
    and should be made available to the client. All other headers will be restricted.
  • Access-Control-Allow-Methods
    – A comma-separated list of HTTP request type verbs (eg. GET, POST ) that the server is willing to support.


This header is part of the request that the client is making, and will contain the domain from which the application is started. For security reasons, browsers will not allow you to overwrite this value.


Origin: https://www.attacker.tld
Origin: http://vuln-bank.tld
Origin: null
Origin: https://vuln-bank.tld.www.attacker.tld
Origin: https://vuln-bank.tldwww.attacker.tld
Origin: https://subdomain.vuln-bank.tld
Origin: https://vuln-bank.tld_www.attacker.tld
Origin: https://subdomainvuln-bank.tld

[Totally remove origin header]