Will It Vibe logoWill It Vibe?
FASTAPI-007High severity-15 points

CORS allow_origin_regex matches everything, combined with credentials

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

allow_origin_regex is set to a pattern that matches any string (such as '.*') together with allow_credentials=True. Unlike a literal '*' origin, a matching regex is not blocked by the browser's CORS-spec check, so this combination genuinely lets any website make authenticated, credentialed requests against the API.

Why it matters

allow_origin_regex set to a pattern that matches any string, such as '.*', combined with allow_credentials=True is functionally worse than a literal wildcard origin: browsers only block the '*' + credentials combination, not a regex that happens to match everything. So this configuration actually works in every browser, letting any website make authenticated, cookie-carrying requests against the API.

How to fix it

Replace the catch-all regex with a pattern that only matches your real origins (for example anchoring to your domain and its subdomains), or switch to an explicit allow_origins list if a regex is not actually needed. Keep allow_credentials=True only if the API genuinely needs cross-origin cookies or Authorization headers.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks