Enabling Cross-Origin Resource Sharing (CORS) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

Applications that enable CORS will effectively relax the same-origin policy in browsers, which is in place to prevent AJAX requests to hosts other than the one showing in the browser address bar. Being too permissive, CORS can potentially allow an attacker to gain access to sensitive information.

This rule flags code that enables CORS or specifies any HTTP response headers associated with CORS. The goal is to guide security code reviews.

Ask Yourself Whether

Recommended Secure Coding Practices

Questionable Code Example

// === NodeJS built-in modules ===
const http = require('http');
const srv = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Questionable
  res.end('ok');
});
srv.listen(3000);
// === ExpressJS ===
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors()); // Questionable
app.get('/product/:id', cors(), function (req, res, next) {}); // Questionable
app.listen(3000);

See