Flask-CORS wildcard origin combined with credentials
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
CORS(...) is configured with origins='*' (or a list containing '*') together with supports_credentials=True, telling the browser this API accepts cookie-carrying requests from any website. Browsers that enforce the CORS spec reject this exact combination, but not every client does, and the configuration itself declares the intent to allow any origin to make authenticated requests.
Why it matters
CORS(app, origins='*', supports_credentials=True) tells browsers this API will accept cookie-carrying, authenticated requests from any website whatsoever. Browsers that correctly implement the CORS specification refuse to honor credentials for a wildcard origin and block the response, but that protection lives entirely in the browser: any non-browser HTTP client, older browser, or misconfigured proxy will happily send the credentialed request anyway, and the configuration itself shows the intent was broader than it should be.
How to fix it
Replace the wildcard with an explicit list of the origins that actually need credentialed access, read from configuration rather than hardcoded, for example CORS(app, origins=os.environ["ALLOWED_ORIGINS"].split(","), supports_credentials=True). If the API genuinely needs to be called from arbitrary origins, drop supports_credentials entirely and authenticate with a bearer token in a header instead of a cookie.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo