CORS origin reflected from the request
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Access-Control-Allow-Origin is set from the request Origin header, which allows any site to make credentialed cross-origin calls.
Why it matters
Reflecting the request Origin header back in Access-Control-Allow-Origin means your API trusts every site that calls it. Because the reflected value is a real origin rather than the browser-blocked literal *, it also works alongside Allow-Credentials, so a malicious page can read authenticated responses using the victim cookies. This is a common way session data and CSRF tokens leak cross-site.
How to fix it
Do not echo the Origin header. Keep a fixed allowlist of trusted origins and only set Access-Control-Allow-Origin when the incoming origin is on that list, otherwise omit the header. With the cors package, pass origin as an array or a function that checks the allowlist. Set Allow-Credentials only for those specific origins, never with a wildcard.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo