Do not reflect request origin into CORS policy | Critiq Docs

#Metadata

Rule ID: ts.security.insecure-allow-origin
Severity: high
Confidence: 0.92
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: cors, misconfiguration, rules-catalog, security

#Why it matters

Reflecting the request origin into a CORS allowlist turns origin validation into a no-op.

#Remediation

Set CORS origins from a fixed allowlist or explicit trusted origin check.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.insecure-allow-origin.rule.yaml.

Back to registry Open rule in repository