Avoid wildcard CORS origins with credentials in Gin

#Metadata

Rule ID

go.security.gin-wildcard-cors-with-credentials

Severity

high

Confidence

0.82

Languages

go

Presets

security, strict

Stability

experimental

Applies to

block

Tags

cors, gin, go, rules-catalog, security

#Why it matters

Wildcard origins with credentials violate browser CORS safety expectations and often mask missing origin allowlists in APIs that should be locked down.

#Remediation

Replace wildcard origins with explicit HTTPS origins, disable credentials when public anonymous access is intended, or move token APIs to header-only auth without credentialed CORS.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml.