Fix guide · high · cors_null_origin_allowed

Server allows Origin: null

Why it matters

null as an origin is what browsers send when there's no real origin to use: the page is opened from a file:// URL, embedded as a data: URL, or running inside an <iframe sandbox> element. Lots of platforms let users embed sandboxed iframes with arbitrary content (Notion, Confluence, ad networks, embeddable widgets, even some email clients). If your CORS policy accepts null, an attacker hosts their exploit inside any of those — every visitor with an active session against your domain becomes a forge target.

The pattern usually shows up because the cors middleware was configured to allow 'null' as a debugging convenience during development (so devs could test from file://-based HTML files) and the entry was never removed.

How to fix it

Remove null from your CORS allowlist. It should never be there in production.

Express + cors:

const ALLOWED_ORIGINS = [
  "https://your-app.com",
  "https://www.your-app.com",
  // NOT: "null"
];

app.use(cors({
  origin: (origin, cb) => {
    // Reject Origin: null explicitly (some libraries treat null as "no origin").
    if (origin === "null") return cb(new Error("null origin not allowed"));
    if (!origin) return cb(null, true);
    if (ALLOWED_ORIGINS.includes(origin)) return cb(null, true);
    return cb(new Error("Origin not allowed"));
  },
  credentials: true,
}));

For local development from file:// URLs: serve a real local HTTP server instead. python3 -m http.server, vite, npx serve — any of them give you a real Origin header that you can allowlist for dev only.

Full guide: /blog/cors-misconfig-vibe-coded.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.