Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Avoid permissive tower-http CORS with credentials in Axum

Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.

#Metadata

Rule ID
rust.security.axum-insecure-cors-with-credentials
Severity
high
Confidence
0.8
Languages
rust
Presets
security, strict
Stability
experimental
Applies to
block
Tags
axum, cors, rules-catalog, rust, security

#Why it matters

Browsers treat credentialed CORS as trusted cross-origin behavior; permissive origin lists undermine that contract and often hide missing explicit allowlists.

#Remediation

Prefer explicit HTTPS `AllowOrigin` lists, avoid `CorsLayer::very_permissive` with `allow_credentials(true)`, and only enable `allow_private_network` with strict origin controls.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml.

Back to directoryOpen rule in repository