Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Do not combine permissive CORS origins with credentials

CORS middleware must not reflect every origin or use a wildcard while `credentials` is enabled.

#Metadata

Rule ID
ts.security.express-permissive-cors
Severity
high
Confidence
0.9
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
block
Tags
cors, express, rules-catalog, security

#Why it matters

Allowing credentials with wildcard or reflected origins lets untrusted sites read authenticated browser responses.

#Remediation

Use an explicit trusted-origin allowlist and disable credentials unless every allowed origin is intentional.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-permissive-cors.rule.yaml.

Back to directoryOpen rule in repository