Will It Vibe logoWill It Vibe?
WEBSEC-002High severity-15 points

CORS reflects any origin with credentials

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

The cors middleware is set to reflect any origin (origin: true) while also enabling credentials, exposing authenticated responses to every site.

Why it matters

The cors middleware with origin: true reflects whatever origin sends the request, and pairing that with credentials: true lets any website read responses that include the user session. An attacker page can then call your API as the logged-in user and read the result. This defeats the same-origin protection cookies normally rely on.

How to fix it

Replace origin: true with an explicit allowlist: pass an array of trusted origins, or a function (origin, cb) that calls back true only for known origins. Keep credentials: true only for that fixed set. If the endpoint does not need cookies, drop credentials entirely and the reflected origin stops being exploitable.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks