CORS wildcard origin combined with allow_credentials=True
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
CORSMiddleware is configured with allow_origins containing '*' and allow_credentials=True at the same time. The CORS spec forbids honoring credentialed requests for a wildcard origin, so browsers that enforce it reject the combination, but non-browser HTTP clients do not, and the code's evident intent is to allow any origin to make authenticated requests.
Why it matters
Configuring CORSMiddleware with allow_origins=['*'] and allow_credentials=True at the same time tells the browser this API accepts authenticated, cookie-carrying requests from literally any website. The CORS specification forbids browsers from honoring credentials with a wildcard origin, so modern browsers reject this specific combination, but non-browser HTTP clients and some older or misconfigured stacks do not enforce that rule, and the configuration itself shows a misunderstanding of what it is granting.
How to fix it
List the specific origins that should be allowed to make credentialed requests (your actual frontend domains) instead of a wildcard, and keep allow_credentials=True only if the API genuinely relies on cookies or Authorization headers sent cross-origin. If the API does not need credentialed cross-origin requests at all, drop allow_credentials entirely and a wildcard origin becomes far less risky.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo