StackShield

How to Fix CORS Misconfiguration in Laravel

Wildcard CORS headers or misconfigured CORS policy allows any website to access your Laravel API. Learn how to configure CORS securely.

High severity Application Security Updated 2026-03-01

The Problem

A misconfigured CORS policy, especially using Access-Control-Allow-Origin: *, allows any website on the internet to make requests to your API on behalf of authenticated users. When combined with Access-Control-Allow-Credentials: true, attackers can read sensitive data and perform actions through a victim's browser session. This effectively bypasses same-origin policy protections.

How to Fix

  1. 1

    Configure allowed origins in config/cors.php

    Open config/cors.php and replace wildcard with specific origins:

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>
  2. 2

    Use environment-specific CORS origins

    Make CORS origins configurable per environment. In config/cors.php:

    {{ trim($paragraph)); ?>

    Then in your .env files:

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>
  3. 3

    Restrict CORS to API routes only

    Limit CORS to only the routes that need cross-origin access. In config/cors.php:

    {{ trim($paragraph)); ?>

    Do not use:

    {{ trim($paragraph)); ?>

    This prevents CORS headers from being applied to your web routes, admin panels, and other sensitive endpoints that should never be accessed cross-origin.

How to Verify

Test your CORS configuration with curl:

curl -I -X OPTIONS https://yourdomain.com/api/endpoint \
  -H "Origin: https://evil-site.com" \
  -H "Access-Control-Request-Method: GET"

The response should NOT include Access-Control-Allow-Origin: https://evil-site.com. Only requests from your whitelisted origins should receive CORS headers.

Prevention

Review config/cors.php during code review for any pull request that modifies it. Never use wildcard origins in production. Document your CORS policy and the reason each allowed origin is included. Use StackShield to monitor your CORS headers and alert on misconfigurations.

Frequently Asked Questions

When is it okay to use wildcard CORS?

Wildcard Access-Control-Allow-Origin: * is acceptable only for truly public, read-only APIs that serve no authenticated or sensitive data. Public APIs like weather data or open datasets can safely use wildcards. If your API uses authentication of any kind, never use wildcards.

What is the difference between CORS and CSRF?

CORS controls which origins can read responses from your API via browser JavaScript. CSRF protects against forged form submissions. They complement each other: CORS prevents data theft via AJAX, while CSRF prevents action execution via forms. You need both.

Why do I get CORS errors in development but not production?

Development typically runs on different ports (localhost:3000 for frontend, localhost:8000 for Laravel), which are different origins. Add your development origins to the allowed list or use environment-specific CORS configuration as shown in step 2.

Related Guides

High

How to Fix Missing CSRF Protection in Laravel

Your Laravel forms are missing CSRF tokens, leaving users vulnerable to cross-site request forgery attacks. Learn how to fix this.
High

How to Fix Missing Security Headers in Laravel

Your Laravel app is missing critical security headers like CSP, HSTS, and X-Frame-Options. Learn how to add them with middleware.
High

How to Fix Missing Rate Limiting in Laravel

Your Laravel login and API endpoints have no rate limiting, enabling brute-force attacks and API abuse. Add throttling now.

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial