🌐 The CORS configuration chaos

Security misconfiguration

A customer forwards you a concerning email from their IT security team about suspicious network activity.

The email shows their employee visited a seemingly innocent industry blog, but afterwards their browser made dozens of API calls to your platform.

You investigate and discover the blog contains hidden JavaScript that exploits your API's CORS settings.

Any website can now make authenticated requests to your API using visitors' session cookies, accessing their private project data without permission.

Technical Issue: Your API's CORS configuration is set to 'Access-Control-Allow-Origin: *', allowing any website to make authenticated requests to your API. Malicious sites can steal user data by making API calls from visitors' browsers using their existing session cookies.

What's your immediate first move?

Immediately restrict CORS to allowed domains only

Configure your API to only accept requests from your legitimate domains

Implement CSRF tokens to protect against cross-site requests

Add anti-CSRF protection to prevent unauthorised API calls

Try to identify and block the malicious websites

Find the attacking sites and prevent them from accessing your API

Alert customers about the potential data theft

Warn users to be careful about which websites they visit

← Select different scenario