# FastAPI CORS Misconfiguration

- ID: fastapi-cors-misconfiguration
- Severity: MEDIUM
- CWE: CWE-942 (CWE-942)
- Languages: Python
- Frameworks: fastapi

## Description

Detects overly permissive CORS configuration in FastAPI applications.
Allowing all origins (*) with credentials enabled can lead to CSRF
and data theft.

## Detection Message

FastAPI uses CORSMiddleware with allow_origins=['*'] and allow_credentials=True

## Remediation

Restrict CORS to specific origins:

```python
from fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://example.com", "https://app.example.com"],
    allow_credentials=True,
    allow_methods=["GET", "POST"],
    allow_headers=["*"],
)
```

## Documentation

[object Object]

## Related Rules

- **Flask CORS Misconfiguration** [MEDIUM]: 
- **Chi Permissive CORS** [MEDIUM]: 
- **Echo Permissive CORS** [MEDIUM]: 
- **Fiber Permissive CORS** [MEDIUM]: 
- **Gin Permissive CORS** [MEDIUM]: