CORS Auditor

CORS Auditor validates your Cross-Origin Resource Sharing and Content Security Policy configurations. Misconfigured CORS is one of the most common web security vulnerabilities, often allowing attackers to steal data from authenticated users. This skill catches these misconfigurations before they become exploitable.

How It Works

1. Configuration review — Examines server configs (Nginx, Apache, Express, Django) for CORS and CSP directives
2. Header analysis — Parses Access-Control-Allow-Origin, Allow-Methods, Allow-Headers, and Expose-Headers
3. Credential check — Identifies dangerous combinations like `Allow-Credentials: true` with wildcard or reflected origins
4. CSP evaluation — Validates Content-Security-Policy for unsafe-inline, unsafe-eval, and overly broad source lists
5. Fix generation — Produces corrected configurations with the minimum necessary permissions

Best For

• API security reviews for SPA + backend architectures
• Pre-deployment checks for new CORS configurations
• CSP hardening to prevent XSS and data injection
• Compliance with security headers best practices (SecurityHeaders.com A+ grade)

Common Findings

Reflected Origin without validation, wildcard with credentials, missing Vary: Origin header, CSP with unsafe-inline allowing XSS, and overly permissive frame-ancestors enabling clickjacking.