IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Access-Control-Allow-Origin

HTTP security header

Access-Control-Allow-Origin

Access-Control-Allow-Origin is the core CORS response header that tells the browser which origins are permitted to read a cross-origin response. Misconfiguration - reflecting the request origin, using a wildcard with credentials, or trusting null - can expose authenticated data to malicious sites.

Example

Access-Control-Allow-Origin: https://app.example.com

Configuration guidance

  • Allowlist specific trusted origins; never reflect arbitrary Origin values.
  • Never combine a wildcard (*) with Access-Control-Allow-Credentials: true.
  • Do not trust the 'null' origin.

Helps mitigate

Cross-Site Request Forgery (CSRF)Insecure Direct Object Reference (IDOR)

Related headers

Content-Security-Policy
MDN: CORS

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub