Permissive CORS wildcard
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Access-Control-Allow-Origin: * (or cors({origin: '*'})) allows any site to call the API.
Why it matters
A wildcard CORS origin lets any website running in a visitor's browser call your API. Combined with cookie or IP-based auth, that means a malicious page can read your users' data through their own logged-in browser. Even with token auth it removes a useful layer of origin control.
How to fix it
Replace '*' with an explicit list of allowed origins, ideally read from an environment variable, and echo back only an origin that matches. Send Vary: Origin so caches behave. Never combine a wildcard with Access-Control-Allow-Credentials. If the API is intentionally public and unauthenticated, document that decision next to the config.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo