SecPrep logoSecPrep

What changed here and why does it matter for security?

javascript diff
-app.use(cors({-  origin: req.headers.origin,-  credentials: true,-}));+const ALLOWED = new Set(['https://app.secprep.io']);+app.use(cors({+  origin: (origin, cb) => cb(null, ALLOWED.has(origin)),+  credentials: true,+}));

The vulnerable code echoed whatever Origin header the browser sent straight back into Access-Control-Allow-Origin, and set Access-Control-Allow-Credentials: true. This is dangerous because: a victim visits attacker.com → the attacker's JS triggers a cross-origin request to your API → the browser attaches the victim's cookies (credentials) → your server reflects the attacker's origin as 'allowed' → the browser lets the attacker's JS read the authenticated response (e.g. the victim's account data). This bypasses the same-origin policy entirely.

The fix introduces an explicit ALLOWED set. Now Access-Control-Allow-Origin is only echoed if the requesting origin is on that trusted list; everything else is rejected. This ensures only your own front-end can read credentialed responses.

References

Practice this in the app →