Why is reflecting the Origin header with credentials a CORS vulnerability?

CORS (Cross-Origin Resource Sharing) is a browser mechanism that lets a server relax the same-origin policy and permit specific other origins to read its responses. The vulnerability: if a server echoes the incoming Origin header straight back into Access-Control-Allow-Origin and also sends Access-Control-Allow-Credentials: true, then any website can make credentialed requests to that API and read the responses.

Attack scenario: a victim is logged in to bank.com. They visit attacker.com. The attacker's JavaScript sends a fetch to api.bank.com/account/balance. The browser attaches the victim's session cookie (because credentials are allowed). The server reflects attacker.com as a trusted origin, so the browser allows the attacker's JS to read the JSON response — the victim's account data.

Mitigation: maintain an explicit allow-list of trusted origins; only echo the Origin if it appears in that list. Never combine a wildcard (Access-Control-Allow-Origin: *) with Access-Control-Allow-Credentials: true — browsers actually block this combination, but a reflected-origin policy is functionally equivalent and is not blocked.