Validating CORS Policies

Overview

Validate Cross-Origin Resource Sharing configurations in web applications and

APIs for security misconfigurations that enable unauthorized cross-origin access.

This skill analyzes CORS headers, middleware configurations, and server response

behavior to detect wildcard origins, reflected origins, credential leakage, and

overly permissive header/method exposure.

Prerequisites

• Access to the target codebase and configuration files in ${CLAUDESKILLDIR}/
• For live endpoint testing: WebFetch tool available and target URLs accessible
• Familiarity with the web framework in use (Express, Django, Flask, Spring, ASP.NET, etc.)
• Reference: ${CLAUDESKILLDIR}/references/README.md for CORS specification details, common vulnerability patterns, and example policies

Instructions

1. Locate all CORS configuration points by scanning for Access-Control-Allow-Origin, cors() middleware, @CrossOrigin annotations, CORS policy builders, and server config directives (nginx add_header, Apache Header set) using Grep.
2. Check for wildcard origin (Access-Control-Allow-Origin: *) -- flag as severity high when combined with Access-Control-Allow-Credentials: true, which browsers reject but indicates a misunderstanding of the security model.
3. Detect origin reflection patterns where the server echoes back the Origin request header without validation -- search for code that reads the Origin header and sets it directly in the response. Flag as CWE-942 (Permissive Cross-domain Policy), severity critical.
4. Validate the origin allowlist: check that allowed origins use exact string matching rather than substring or regex patterns vulnerable to bypass (e.g., example.com.evil.com matching a check for example.com).
5. Assess Access-Control-Allow-Methods -- flag if dangerous methods (PUT, DELETE, PATCH) are exposed without necessity. Verify that preflight (OPTIONS) responses include appropriate method restrictions.
6. Evaluate Access-Control-Allow-Headers -- flag wildcard header allowance or exposure of sensitive headers like Authorization, Cookie, or custom auth headers to broader origins than necessary.
7. Check Access-Control-Expose-Headers for leakage of internal headers (e.g., X-Request-Id, X-Internal-Trace) to cross-origin consumers.
8. Verify Access-Control-Max-Age is set to a reasonable value (600-86400 seconds) to balance security with performance -- missing or excessively long max-age values deserve a low-severity note.
9. For live endpoints,