Home / Tools / Fix CORS configuration — never combine wildcard origin with credentials
Security Headers · Scan Check Guide

Fix CORS configuration — never combine wildcard origin with credentials

30 min Impact: high Effort: medium ✓ Scan-verified — no manual checkbox

CORS headers tell browsers which OTHER websites are allowed to make requests to your site's API or resources on a visitor's behalf. A wildcard (Access-Control-Allow-Origin: *) combined with credentials support means literally any website on the internet can make authenticated requests to your API using a logged-in visitor's session.

Access-Control-Allow-Origin: * paired with Access-Control-Allow-Credentials: true lets any website on the internet read authenticated responses from yours on a visitor's behalf — a real, actively exploited misconfiguration, not a theoretical one.

How to fix it

  1. 1
    Find where CORS headers are currently set
    Check your API/server config or middleware for Access-Control-Allow-Origin.
  2. 2
    Replace the wildcard with an explicit allowlist
    List the specific domains that legitimately need to call your API (your own frontend, known partners) instead of *.
  3. 3
    Never combine a wildcard origin with credentials
    If Access-Control-Allow-Credentials: true is set, the origin absolutely cannot be * — browsers actually block this combination, but some setups work around it insecurely.
  4. 4
    Test each legitimate origin still works
    Confirm your actual frontend and any real integrations still function after narrowing the allowlist.

Common mistakes

How you'll know it's done

Access-Control-Allow-Origin lists only specific, legitimate domains — never a wildcard combined with credentials.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →