Will It Vibe?
SEC-012High severity-15 points

Permissive CORS wildcard

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Access-Control-Allow-Origin: * (or cors({origin: '*'})) allows any site to call the API.

Why it matters

A wildcard CORS origin lets any website running in a visitor's browser call your API. Combined with cookie or IP-based auth, that means a malicious page can read your users' data through their own logged-in browser. Even with token auth it removes a useful layer of origin control.

How to fix it

Replace '*' with an explicit list of allowed origins, ideally read from an environment variable, and echo back only an origin that matches. Send Vary: Origin so caches behave. Never combine a wildcard with Access-Control-Allow-Credentials. If the API is intentionally public and unauthenticated, document that decision next to the config.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks