Stats
Actions
Tags
Validates CORS configurations in web apps/APIs for security misconfigurations like wildcard origins, origin reflection, permissive methods/headers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cors-policy-validator:validating-cors-policiesThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate Cross-Origin Resource Sharing configurations in web applications and
Validate Cross-Origin Resource Sharing configurations in web applications and APIs for security misconfigurations that enable unauthorized cross-origin access. This skill analyzes CORS headers, middleware configurations, and server response behavior to detect wildcard origins, reflected origins, credential leakage, and overly permissive header/method exposure.
${CLAUDE_SKILL_DIR}/${CLAUDE_SKILL_DIR}/references/README.md for CORS specification details, common vulnerability patterns, and example policiesAccess-Control-Allow-Origin, cors() middleware, @CrossOrigin annotations, CORS policy builders, and server config directives (nginx add_header, Apache Header set) using Grep.Access-Control-Allow-Origin: *) -- flag as severity high when combined with Access-Control-Allow-Credentials: true, which browsers reject but indicates a misunderstanding of the security model.Origin request header without validation -- search for code that reads the Origin header and sets it directly in the response. Flag as CWE-942 (Permissive Cross-domain Policy), severity critical.example.com.evil.com matching a check for example.com).Access-Control-Allow-Methods -- flag if dangerous methods (PUT, DELETE, PATCH) are exposed without necessity. Verify that preflight (OPTIONS) responses include appropriate method restrictions.Access-Control-Allow-Headers -- flag wildcard header allowance or exposure of sensitive headers like Authorization, Cookie, or custom auth headers to broader origins than necessary.Access-Control-Expose-Headers for leakage of internal headers (e.g., X-Request-Id, X-Internal-Trace) to cross-origin consumers.Access-Control-Max-Age is set to a reasonable value (600-86400 seconds) to balance security with performance -- missing or excessively long max-age values deserve a low-severity note.Origin values (legitimate, malicious, null) and analyze the response headers to confirm server behavior matches the codebase configuration.cors(), Django django-cors-headers, Spring @CrossOrigin, nginx headers)| Error | Cause | Solution |
|---|---|---|
| No CORS configuration found | CORS handled at infrastructure layer (CDN, API gateway) | Check CDN/gateway configs (Cloudflare, AWS API Gateway, nginx) for CORS header injection |
| WebFetch blocked or timed out | Target endpoint unreachable or rate-limited | Verify URL accessibility; fall back to static codebase analysis of CORS middleware configuration |
| Inconsistent CORS behavior across endpoints | Multiple CORS configurations at different layers | Map each layer (application, reverse proxy, CDN) and document the effective policy per endpoint |
| Origin reflection false positive | Dynamic origin validation with a secure allowlist | Verify the allowlist logic uses exact matching; mark as informational if the implementation is secure |
| Preflight not triggering | Request classified as "simple request" by the browser | Note that simple GET/POST requests bypass preflight; test with custom headers to force preflight |
Scan ${CLAUDE_SKILL_DIR}/src/app.js and ${CLAUDE_SKILL_DIR}/src/middleware/ for cors()
configuration. Flag origin: true (reflects any origin) as CWE-942, severity
critical. Recommend replacing with an explicit allowlist:
origin: ['https://app.example.com', 'https://admin.example.com'].
Grep ${CLAUDE_SKILL_DIR}/nginx/ for add_header Access-Control-Allow-Origin. Flag any
$http_origin variable usage that reflects the origin without validation. Verify
that Access-Control-Allow-Credentials is only set for origins in the allowlist
using an if block or map directive.
Review ${CLAUDE_SKILL_DIR}/infra/api-gateway.yaml or equivalent IaC definitions for
CORS settings. Flag wildcard * in allowed origins when credentials are enabled.
Verify that Access-Control-Allow-Methods is scoped to only the HTTP methods
each endpoint actually supports.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin cors-policy-validatorAudits PHP CORS configurations for security issues like wildcard origins, credentials with wildcards, dynamic origin reflection, missing preflight handling, and overly permissive policies.
Verifies CORS policy enforcement by testing origin reflection, null origin, subdomain bypass, wildcard-with-credentials, and preflight correctness using targeted curl and browser tests.
Tests CORS misconfigurations including origin reflection, null-origin trust, subdomain regex bypasses, pre-flight gating bypass, and postMessage origin checks. Use when auditing API endpoints or SPAs with Access-Control-* headers.