RSTR-CORS-001 — cors origin:true|* with credentials:true

Summary

Express's cors middleware is configured with both origin: true (or '*') and credentials: true. The browser-spec dance for this combination collapses the wildcard to the request's Origin header and accepts cookies with the response. Net effect: any origin in the world can make credentialed cross-site requests to your API, defeating same-origin policy.

Severity

High.

Languages

JavaScript / TypeScript.

How to fix it

Allow-list the trusted origins:

app.use(cors({
  origin: ['https://app.example.com', 'https://admin.example.com'],
  credentials: true,
}));

Or — if the API is truly public — drop credentials:

app.use(cors({ origin: '*' }));   // public API, no cookies

Function-form for dynamic allow-listing:

const ALLOWED = new Set(['https://app.example.com']);
app.use(cors({
  origin: (origin, cb) => cb(null, ALLOWED.has(origin)),
  credentials: true,
}));

References

• OWASP CORS Cheat Sheet
• MDN: Cross-Origin Resource Sharing
• PortSwigger: CORS misconfiguration