Validating CORS Policies

Overview

Validate Cross-Origin Resource Sharing configurations in web applications and APIs for security misconfigurations that enable unauthorized cross-origin access. This skill analyzes CORS headers, middleware configurations, and server response behavior to detect wildcard origins, reflected origins, credential leakage, and overly permissive header/method exposure.

Prerequisites

• Access to the target codebase and configuration files in

  ${CLAUDE_SKILL_DIR}/

• For live endpoint testing: WebFetch tool available and target URLs accessible
• Familiarity with the web framework in use (Express, Django, Flask, Spring, ASP.NET, etc.)
• Reference:

  ${CLAUDE_SKILL_DIR}/references/README.md

  for CORS specification details, common vulnerability patterns, and example policies

Instructions

1. Locate all CORS configuration points by scanning for

   Access-Control-Allow-Origin

   ,

   cors()

   middleware,

   @CrossOrigin

   annotations, CORS policy builders, and server config directives (nginx

   add_header

   , Apache

   Header set

   ) using Grep.
2. Check for wildcard origin (

   Access-Control-Allow-Origin: *

   ) -- flag as severity high when combined with

   Access-Control-Allow-Credentials: true

   , which browsers reject but indicates a misunderstanding of the security model.
3. Detect origin reflection patterns where the server echoes back the

   Origin

   request header without validation -- search for code that reads the

   Origin

   header and sets it directly in the response. Flag as CWE-942 (Permissive Cross-domain Policy), severity critical.
4. Validate the origin allowlist: check that allowed origins use exact string matching rather than substring or regex patterns vulnerable to bypass (e.g.,

   example.com.evil.com

   matching a check for

   example.com

   ).
5. Assess

   Access-Control-Allow-Methods

   -- flag if dangerous methods (

   PUT

   ,

   DELETE

   ,

   PATCH

   ) are exposed without necessity. Verify that preflight (

   OPTIONS

   ) responses include appropriate method restrictions.
6. Evaluate

   Access-Control-Allow-Headers

   -- flag wildcard header allowance or exposure of sensitive headers like

   Authorization

   ,

   Cookie

   , or custom auth headers to broader origins than necessary.
7. Check

   Access-Control-Expose-Headers

   for leakage of internal headers (e.g.,

   X-Request-Id

   ,

   X-Internal-Trace

   ) to cross-origin consumers.
8. Verify

   Access-Control-Max-Age

   is set to a reasonable value (600-86400 seconds) to balance security with performance -- missing or excessively long max-age values deserve a low-severity note.
9. For live endpoints, issue preflight requests via WebFetch with various

   Origin

   values (legitimate, malicious, null) and analyze the response headers to confirm server behavior matches the codebase configuration.
10. Compile findings with severity ratings, map to OWASP Testing Guide OTG-CLIENT-007, and provide remediation with correct CORS middleware configuration examples.

Output

• CORS configuration inventory: Table of all CORS-enabled endpoints, their allowed origins, methods, headers, and credentials settings
• Findings report: Each finding includes severity, affected endpoint/file, CWE reference (CWE-942, CWE-346), observed behavior, and remediation code
• Preflight test results: For live endpoints, a table of Origin values tested and the corresponding server responses
• Remediation examples: Framework-specific CORS configuration snippets (Express

  cors()

  , Django

  django-cors-headers

  , Spring

  @CrossOrigin

  , nginx headers)

Error Handling

Error	Cause	Solution
No CORS configuration found	CORS handled at infrastructure layer (CDN, API gateway)	Check CDN/gateway configs (Cloudflare, AWS API Gateway, nginx) for CORS header injection
WebFetch blocked or timed out	Target endpoint unreachable or rate-limited	Verify URL accessibility; fall back to static codebase analysis of CORS middleware configuration
Inconsistent CORS behavior across endpoints	Multiple CORS configurations at different layers	Map each layer (application, reverse proxy, CDN) and document the effective policy per endpoint
Origin reflection false positive	Dynamic origin validation with a secure allowlist	Verify the allowlist logic uses exact matching; mark as informational if the implementation is secure
Preflight not triggering	Request classified as "simple request" by the browser	Note that simple GET/POST requests bypass preflight; test with custom headers to force preflight

Examples

Express.js CORS Middleware Audit

Scan

${CLAUDE_SKILL_DIR}/src/app.js

and

${CLAUDE_SKILL_DIR}/src/middleware/

for

cors()

configuration. Flag

origin: true

(reflects any origin) as CWE-942, severity critical. Recommend replacing with an explicit allowlist:

origin: ['https://app.example.com', 'https://admin.example.com']

.

Nginx CORS Header Review

Grep

${CLAUDE_SKILL_DIR}/nginx/

for

add_header Access-Control-Allow-Origin

. Flag any

$http_origin

variable usage that reflects the origin without validation. Verify that

Access-Control-Allow-Credentials

is only set for origins in the allowlist using an

if

block or

map

directive.

API Gateway CORS Configuration

Review

${CLAUDE_SKILL_DIR}/infra/api-gateway.yaml

or equivalent IaC definitions for CORS settings. Flag wildcard

*

in allowed origins when credentials are enabled. Verify that

Access-Control-Allow-Methods

is scoped to only the HTTP methods each endpoint actually supports.

Resources

• MDN: Cross-Origin Resource Sharing
• OWASP Testing for CORS (OTG-CLIENT-007)
• CWE-942: Permissive Cross-domain Policy
• CWE-346: Origin Validation Error
• Fetch Standard: CORS Protocol