# Flask CORS Misconfiguration

- ID: flask-cors-misconfiguration
- Severity: MEDIUM
- CWE: CWE-942 (CWE-942)
- Languages: Python
- Frameworks: flask

## Description

Detects overly permissive CORS configuration in Flask applications using
flask-cors. Allowing all origins (*) with credentials enabled can lead to
cross-site request forgery and data theft.

## Detection Message

Flask application uses CORS(*, supports_credentials=True) which allows any origin to make authenticated requests

## Remediation

Restrict CORS to specific trusted origins:

```python
# GOOD: Restrict to specific origins
CORS(app, resources={
    r"/api/*": {
        "origins": ["https://example.com", "https://app.example.com"],
        "supports_credentials": True
    }
})
```

## Documentation

[object Object]

## Related Rules

- **FastAPI CORS Misconfiguration** [MEDIUM]: 
- **Chi Permissive CORS** [MEDIUM]: 
- **Echo Permissive CORS** [MEDIUM]: 
- **Fiber Permissive CORS** [MEDIUM]: 
- **Gin Permissive CORS** [MEDIUM]: