Avoid permissive FastAPI CORS with credentials | Critiq Docs

#Metadata

Rule ID: py.security.fastapi-insecure-cors
Severity: high
Confidence: 0.87
Languages: python
Presets: security, strict
Stability: stable
Applies to: block
Tags: cors, fastapi, python, rules-catalog, security

#Why it matters

Wildcard CORS policies plus credentials mirror insecure browser CORS combinations that attackers can abuse from malicious origins.

#Remediation

Replace wildcard origins, methods, and headers with explicit allowlists when credentials are required.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.fastapi-insecure-cors.rule.yaml.

Back to directory Open rule in repository