Critiq Docs
Get started
security.misconfiguration

Do not allow every origin in CORS policy

CORS should not fall back to wildcard or implicit allow-all origin settings.

#Metadata

Rule ID
ts.security.permissive-allow-origin
Severity
high
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
cors, misconfiguration, rules-catalog, security

#Why it matters

Wildcard or implicit allow-all CORS policies expose authenticated browser responses across origins.

#Remediation

Configure an explicit allowlist or validated origin callback instead of allowing all origins.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.permissive-allow-origin.rule.yaml.

Back to registryOpen rule in repository