Fix guide · high · cors_acao_wildcard_with_credentials

CORS Access-Control-Allow-Origin: * with Allow-Credentials: true

Why it matters

This combination is forbidden by browsers (they'll refuse to send credentials). But it's a strong signal of a configuration bug — usually the developer wanted to relax CORS and accidentally enabled credentials too. Some non-browser clients (proxies, server-to-server tools) honor it and the credentials leak.

How to fix it

Pick one:

• If you don't need credentials cross-origin, drop Allow-Credentials: true.
• If you do need credentials, set Allow-Origin to a specific origin (or echo the request's Origin header against an allowlist).

Never combine * with Allow-Credentials: true.

Full guide: /blog/cors-misconfig-vibe-coded.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.