CORS headers tell browsers which OTHER websites are allowed to make requests to your site's API or resources on a visitor's behalf. A wildcard (Access-Control-Allow-Origin: *) combined with credentials support means literally any website on the internet can make authenticated requests to your API using a logged-in visitor's session.
Access-Control-Allow-Origin: * paired with Access-Control-Allow-Credentials: true lets any website on the internet read authenticated responses from yours on a visitor's behalf — a real, actively exploited misconfiguration, not a theoretical one.
Access-Control-Allow-Origin lists only specific, legitimate domains — never a wildcard combined with credentials.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →