Will It Vibe logoWill It Vibe?
WEBSEC-001High severity-15 points

CORS origin reflected from the request

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Access-Control-Allow-Origin is set from the request Origin header, which allows any site to make credentialed cross-origin calls.

Why it matters

Reflecting the request Origin header back in Access-Control-Allow-Origin means your API trusts every site that calls it. Because the reflected value is a real origin rather than the browser-blocked literal *, it also works alongside Allow-Credentials, so a malicious page can read authenticated responses using the victim cookies. This is a common way session data and CSRF tokens leak cross-site.

How to fix it

Do not echo the Origin header. Keep a fixed allowlist of trusted origins and only set Access-Control-Allow-Origin when the incoming origin is on that list, otherwise omit the header. With the cors package, pass origin as an array or a function that checks the allowlist. Set Allow-Credentials only for those specific origins, never with a wildcard.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks