StackShield

CORS Misconfiguration

Medium

Identifies insecure CORS headers (Access-Control-Allow-Origin: *).

Estimated fix time: 20 minutes

What is CORS?

Cross-Origin Resource Sharing (CORS) controls which domains can access your API. Misconfigured CORS policies can expose your API to unauthorized access or block legitimate requests.

Security Impact

Severity: Medium to High

  • Unauthorized API access
  • Data exposure
  • Cross-origin attacks
  • Credential theft

How to Fix

1. Configure CORS Middleware

Laravel 8+ includes built-in CORS support:

// config/cors.php
return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    
    'allowed_methods' => ['*'],
    
    'allowed_origins' => [
        'https://yourdomain.com',
        'https://app.yourdomain.com',
    ],
    
    'allowed_origins_patterns' => [],
    
    'allowed_headers' => ['*'],
    
    'exposed_headers' => [],
    
    'max_age' => 0,
    
    'supports_credentials' => true,
];

2. Never Use Wildcard with Credentials

// BAD - Security vulnerability
'allowed_origins' => ['*'],
'supports_credentials' => true,

// GOOD - Specific origins
'allowed_origins' => [
    'https://yourdomain.com',
    'https://app.yourdomain.com',
],
'supports_credentials' => true,

3. Environment-Specific Configuration

// config/cors.php
'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', 'https://yourdomain.com')),

# .env
CORS_ALLOWED_ORIGINS=https://yourdomain.com,https://app.yourdomain.com

4. Restrict HTTP Methods

// Only allow necessary methods
'allowed_methods' => ['GET', 'POST', 'PUT', 'DELETE'],

// Don't use wildcard in production
'allowed_methods' => ['*'], // Avoid this

5. Install fruitcake/laravel-cors (Laravel 7 and below)

composer require fruitcake/laravel-cors
php artisan vendor:publish --tag="cors"

// app/Http/Kernel.php
protected $middleware = [
    \Fruitcake\Cors\HandleCors::class,
];

Verification Steps

  1. Make API request from allowed origin - should succeed
  2. Make request from unauthorized origin - should be blocked
  3. Check response headers for proper CORS headers
  4. Test preflight OPTIONS requests
  5. Verify credentials are handled correctly

Common Scenarios

SPA with Same Domain

'paths' => ['api/*'],
'allowed_origins' => ['https://yourdomain.com'],
'supports_credentials' => true,

Multiple Subdomains

'allowed_origins_patterns' => ['/^https:\/\/.*\.yourdomain\.com$/'],
'supports_credentials' => true,

Public API

'allowed_origins' => ['*'],
'supports_credentials' => false, // Important!
  • CSRF Protection
  • Security Headers
  • API Rate Limiting

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Security Headers

Detects missing headers (CSP, HSTS, X-Frame-Options).

Easy

CSRF Protection

Verifies CSRF token implementation on forms and APIs.

Easy

Learn More