How to Fix CORS Misconfiguration in Laravel
Identifies insecure CORS headers (Access-Control-Allow-Origin: *).
authentication authorization
Medium fix
20 minutes
What This Check Detects
Identifies insecure CORS headers (Access-Control-Allow-Origin: *).
Full Documentation
What is CORS?
Cross-Origin Resource Sharing (CORS) controls which domains can access your API. Misconfigured CORS policies can expose your API to unauthorized access or block legitimate requests.
Security Impact
Severity: Medium to High
- Unauthorized API access
- Data exposure
- Cross-origin attacks
- Credential theft
How to Fix
1. Configure CORS Middleware
Laravel 8+ includes built-in CORS support:
// config/cors.php
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => [
'https://yourdomain.com',
'https://app.yourdomain.com',
],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => true,
];
2. Never Use Wildcard with Credentials
// BAD - Security vulnerability
'allowed_origins' => ['*'],
'supports_credentials' => true,
// GOOD - Specific origins
'allowed_origins' => [
'https://yourdomain.com',
'https://app.yourdomain.com',
],
'supports_credentials' => true,
3. Environment-Specific Configuration
// config/cors.php
'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', 'https://yourdomain.com')),
# .env
CORS_ALLOWED_ORIGINS=https://yourdomain.com,https://app.yourdomain.com
4. Restrict HTTP Methods
// Only allow necessary methods
'allowed_methods' => ['GET', 'POST', 'PUT', 'DELETE'],
// Don't use wildcard in production
'allowed_methods' => ['*'], // Avoid this
5. Install fruitcake/laravel-cors (Laravel 7 and below)
composer require fruitcake/laravel-cors
php artisan vendor:publish --tag="cors"
// app/Http/Kernel.php
protected $middleware = [
\Fruitcake\Cors\HandleCors::class,
];
Verification Steps
- Make API request from allowed origin - should succeed
- Make request from unauthorized origin - should be blocked
- Check response headers for proper CORS headers
- Test preflight OPTIONS requests
- Verify credentials are handled correctly
Common Scenarios
SPA with Same Domain
'paths' => ['api/*'],
'allowed_origins' => ['https://yourdomain.com'],
'supports_credentials' => true,
Multiple Subdomains
'allowed_origins_patterns' => ['/^https:\/\/.*\.yourdomain\.com$/'],
'supports_credentials' => true,
Public API
'allowed_origins' => ['*'],
'supports_credentials' => false, // Important!
Related Issues
- CSRF Protection
- Security Headers
- API Rate Limiting
Related Security Checks
Check Your Laravel App for This Vulnerability
StackShield runs this check and 30+ others automatically. No code installation required.
Start Free Trial