VibeScan detected an Access-Control-Allow-Origin: * header on your API routes. This allows any website on the internet to make requests to your API using your users' credentials — without them knowing.
Cross-Origin Resource Sharing (CORS) determines which external websites are allowed to make requests to your API from a browser. When you set it to *, you're telling the browser: “any website is allowed to call my API.”
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: https://myapp.com
The attack is called Cross-Site Request Forgery (CSRF). Here's how it works in practice:
Important nuance: The wildcard is most dangerous when combined with cookie-based auth or when your API accepts credentials. Even without cookies, it still exposes any unauthenticated data your API returns.
Set Access-Control-Allow-Origin to exactly your production domain. If you need multiple origins, check the request's Origin header against an allowlist.
// Next.js API route (App Router)
export async function GET(request: Request) {
const origin = request.headers.get('origin')
const allowedOrigins = ['https://myapp.com', 'https://www.myapp.com']
const headers: Record<string, string> = {}
if (origin && allowedOrigins.includes(origin)) {
headers['Access-Control-Allow-Origin'] = origin
}
return Response.json({ data: '...' }, { headers })
}Rather than setting CORS on each route, configure it once in your Next.js config to apply across all API routes.
// next.config.js
const nextConfig = {
async headers() {
return [{
source: '/api/:path*',
headers: [{
key: 'Access-Control-Allow-Origin',
value: 'https://www.myapp.com', // your domain
}],
}]
},
}For POST/PUT/DELETE endpoints, add a CSRF token check in addition to fixing CORS. Libraries like csrf-csrf make this straightforward.
“VibeScan found a wildcard CORS policy (Access-Control-Allow-Origin: *) on my API routes. Please fix this by replacing the wildcard with my specific domain in next.config.js headers config. The allowed origin should be https://www.myapp.com (replace with my actual domain). Also add CSRF protection to any state-changing POST/PUT/DELETE API routes using the csrf-csrf library.”
VibeScan checks CORS headers on every API route alongside 10 other security checks — free, in under 60 seconds.
Scan my app free →