Do not combine wildcard CORS origin with credentials | Critiq Docs

#Metadata

Rule ID: php.security.insecure-cors-wildcard-with-credentials
Severity: high
Confidence: 0.85
Languages: php
Presets: security, strict
Stability: stable
Applies to: block
Tags: cors, php, rules-catalog, security

#Why it matters

Wildcard origins with credential support break origin isolation and can expose authenticated data cross-site.

#Remediation

Replace wildcard origins with explicit allowlists and keep credentials disabled unless strictly required.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml.

Back to directory Open rule in repository