HTTP security header
Access-Control-Allow-Origin
Access-Control-Allow-Origin is the core CORS response header that tells the browser which origins are permitted to read a cross-origin response. Misconfiguration - reflecting the request origin, using a wildcard with credentials, or trusting null - can expose authenticated data to malicious sites.
Example
Access-Control-Allow-Origin: https://app.example.comConfiguration guidance
- Allowlist specific trusted origins; never reflect arbitrary Origin values.
- Never combine a wildcard (*) with Access-Control-Allow-Credentials: true.
- Do not trust the 'null' origin.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app