HomeFix guides → CORS Access-Control-Allow-Origin not wildcard

security

How to fix: CORS Access-Control-Allow-Origin not wildcard

OWASP A05

Why this matters

Access-Control-Allow-Origin: * combined with Allow-Credentials: true is rejected by every modern browser AND signals server misconfiguration to anyone probing. Even without the credentials combo, a wildcard CORS policy means every origin can read your endpoint — fine for public endpoints, dangerous for anything user-specific.

Background

Access-Control-Allow-Origin: * lets any origin read your cross-origin responses. If the same endpoint also returns personal data (cookies, auth headers), that's a data leak. Wildcard CORS is acceptable only on truly public static JSON / fonts; otherwise allowlist specific origins.

References

OWASP A05 · MDN: CORS · RFC 6454 (Same-Origin Policy)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Remove `add_header Access-Control-Allow-Origin '*';` from auth-aware routes. Allowlist instead: add_header Access-Control-Allow-Origin "$cors_origin" with a map of trusted origins.
apache
Same — replace `Header set Access-Control-Allow-Origin "*"` with conditional allowlist via mod_setenvif.
cloudflare
Workers: read request.headers.get('Origin'), echo only if in allowlist.
wordpress
Audit REST API plugin settings. Many add wildcard CORS by default — restrict to known origins.
flask
Use flask-cors with origins=[...] (specific list), NOT origins='*'.
express
cors({ origin: ['https://yourfrontend.com'] }) — not cors() default which echoes any origin.
rails
config.middleware.insert_before 0, Rack::Cors with origins '...' specific list.

Verify it's working

curl -sI -H 'Origin: https://evil.example' https://your-site/api/sensitive | grep -i access-control-allow-origin — should NOT be '*'.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →