Open CORS Policy Anti-Pattern

Severity: Medium

Summary

Misconfigured CORS policies allow any website to make authenticated requests on behalf of users. Servers responding with Access-Control-Allow-Origin: * or reflecting client Origin headers enable data theft and unauthorized actions.

The Anti-Pattern

The anti-pattern is overly permissive Access-Control-Allow-Origin headers: wildcard (*) or reflecting client Origin values.

BAD Code Example

# VULNERABLE: The server reflects any Origin header, or uses a wildcard with credentials.
from flask import Flask, request, jsonify

app = Flask(__name__)