Avoid Actix any-origin CORS with credentials enabled | Critiq Docs

#Metadata

Rule ID: rust.security.actix-wildcard-cors-with-credentials
Severity: high
Confidence: 0.84
Languages: rust
Presets: security, strict
Stability: experimental
Applies to: block
Tags: actix, cors, rules-catalog, rust, security

#Why it matters

Wildcard origins with credentials violate browser CORS expectations and usually indicate a missing explicit origin allowlist.

#Remediation

Use `allowed_origin` with explicit HTTPS origins, or disable credentials when anonymous public access is intended.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml.

Back to directory Open rule in repository