# CORS Misconfiguration

- ID: python-cors-misconfiguration
- Severity: MEDIUM
- CWE: CWE-942 (CWE-942)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with credentials, or reflect the Origin header without
validation. This can expose sensitive data to malicious sites.

## Remediation

Use an explicit origin whitelist instead of wildcard (*).

```python
ALLOWED_ORIGINS = {
    'https://example.com',
    'https://app.example.com',
}

@app.after_request
def add_cors(response):
    origin = request.headers.get('Origin')
    if origin in ALLOWED_ORIGINS:
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
    return response
```

Learn more: https://shoulder.dev/learn/python/cwe-942/cors-misconfiguration

## Documentation

[object Object]

## Related Rules

- **FastAPI CORS Misconfiguration** [MEDIUM]: 
- **Flask CORS Misconfiguration** [MEDIUM]: 
- **Chi Permissive CORS** [MEDIUM]: 
- **Echo Permissive CORS** [MEDIUM]: 
- **Fiber Permissive CORS** [MEDIUM]: