Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

igbuend/open-cors-anti-pattern

Name: open-cors-anti-pattern
Author: igbuend

skills/open-cors-anti-pattern/SKILL.md

npx skillsauth add igbuend/grimbard open-cors-anti-pattern

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Open CORS Policy Anti-Pattern

Severity: Medium

Summary

Misconfigured CORS policies allow any website to make authenticated requests on behalf of users. Servers responding with Access-Control-Allow-Origin: * or reflecting client Origin headers enable data theft and unauthorized actions.

The Anti-Pattern

The anti-pattern is overly permissive Access-Control-Allow-Origin headers: wildcard (*) or reflecting client Origin values.

BAD Code Example

# VULNERABLE: The server reflects any Origin header, or uses a wildcard with credentials.
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.after_request
def add_cors_headers(response):
    # DANGEROUS: Reflecting Origin header.
    # Attacker site (https://evil.com) can make requests.
    origin = request.headers.get('Origin')
    if origin:
        response.headers['Access-Control-Allow-Origin'] = origin

    # DANGEROUS: Wildcard with credentials.
    # Most browsers block, but critical misconfiguration.
    # response.headers['Access-Control-Allow-Origin'] = '*'
    # response.headers['Access-Control-Allow-Credentials'] = 'true'

    return response

@app.route("/api/user/profile")
def get_profile():
    # Endpoint for frontend, relies on session cookie.
    user = get_user_from_session()
    return jsonify(user.to_dict())

# Attack:
# 1. Logged-in user visits https://evil.com
# 2. Script fetches https://yourapp.com/api/user/profile
# 3. Permissive CORS allows request with session cookie
# 4. Server responds with user's sensitive profile
# 5. evil.com exfiltrates user data

GOOD Code Example

# SECURE: Maintain a strict allowlist of trusted origins.
from flask import Flask, request, jsonify

app = Flask(__name__)

# Strict allowlist of permitted origins.
ALLOWED_ORIGINS = {
    "https://www.yourapp.com",
    "https://yourapp.com",
    "https://staging.yourapp.com"
}

@app.after_request
def add_secure_cors_headers(response):
    origin = request.headers.get('Origin')
    if origin in ALLOWED_ORIGINS:
        # Set header only if origin in trusted list.
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
        # Vary tells caches response depends on Origin.
        response.headers['Vary'] = 'Origin'
    return response

@app.route("/api/user/profile")
def get_profile_secure():
    user = get_user_from_session()
    return jsonify(user.to_dict())

# Script from https://evil.com: origin not in ALLOWED_ORIGINS,
# no CORS headers sent. Browser same-origin policy blocks request.

Detection

Use browser developer tools: Open the "Network" tab, make a cross-origin request to your API, and inspect the response headers. Look for Access-Control-Allow-Origin. Is it *? Does it match the Origin of your request even if that origin is untrusted?
Use curl: Make a request and set a custom Origin header to see if the server reflects it: curl -H "Origin: https://evil.com" -I https://yourapp.com/api/some-endpoint Check if the response contains Access-Control-Allow-Origin: https://evil.com.
Review CORS configuration: Check your application's code or framework configuration for how CORS headers are being set. Look for wildcards or reflected origins.

Prevention

[ ] Maintain strict allowlist: Most critical step. Define trusted origins explicitly.
[ ] Never reflect Origin header: Validate against allowlist before reflecting.
[ ] Avoid wildcard on authenticated endpoints: * unsafe for endpoints using cookies or Authorization headers. Only use for public, unauthenticated resources.
[ ] Use Access-Control-Allow-Credentials carefully: Set to true only when necessary and only for allowlisted origins.
[ ] Add Vary: Origin header: Tells caches response depends on Origin. Prevents cached response for trusted origin being served to malicious one.

Related Security Patterns & Anti-Patterns

Missing Security Headers Anti-Pattern: CORS is a key part of the broader suite of security headers an application must manage.
Cross-Site Scripting (XSS) Anti-Pattern: An attacker could use a permissive CORS policy to exfiltrate data stolen via an XSS attack.

References

OWASP Top 10 A02:2025 - Security Misconfiguration
OWASP GenAI LLM07:2025 - System Prompt Leakage
OWASP API Security API8:2023 - Security Misconfiguration
OWASP CORS Cheat Sheet
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
PortSwigger - CORS Vulnerabilities
Source: sec-context

igbuend/open-cors-anti-pattern

skills/open-cors-anti-pattern/SKILL.md

Security anti-pattern for open Cross-Origin Resource Sharing (CORS) policies (CWE-942). Use when generating or reviewing server configurations, API backends, or any code that sets CORS headers. Detects overly permissive Access-Control-Allow-Origin headers, including wildcard, null origin, and reflected origin.

4 stars

development

Updated Apr 5, 2026

$ install --global

skillsauth

npx skillsauth add igbuend/grimbard open-cors-anti-pattern

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 5, 2026, 8:19 PM15.2s1 file scanned

SKILL.md

name:: open-cors-anti-pattern
description:: Security anti-pattern for open Cross-Origin Resource Sharing (CORS) policies (CWE-942). Use when generating or reviewing server configurations, API backends, or any code that sets CORS headers. Detects overly permissive Access-Control-Allow-Origin headers, including wildcard, null origin, and reflected origin.

Open CORS Policy Anti-Pattern

Severity: Medium

Summary

The Anti-Pattern

The anti-pattern is overly permissive Access-Control-Allow-Origin headers: wildcard (*) or reflecting client Origin values.

BAD Code Example

# VULNERABLE: The server reflects any Origin header, or uses a wildcard with credentials.
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.after_request
def add_cors_headers(response):
    # DANGEROUS: Reflecting Origin header.
    # Attacker site (https://evil.com) can make requests.
    origin = request.headers.get('Origin')
    if origin:
        response.headers['Access-Control-Allow-Origin'] = origin

    # DANGEROUS: Wildcard with credentials.
    # Most browsers block, but critical misconfiguration.
    # response.headers['Access-Control-Allow-Origin'] = '*'
    # response.headers['Access-Control-Allow-Credentials'] = 'true'

    return response

@app.route("/api/user/profile")
def get_profile():
    # Endpoint for frontend, relies on session cookie.
    user = get_user_from_session()
    return jsonify(user.to_dict())

# Attack:
# 1. Logged-in user visits https://evil.com
# 2. Script fetches https://yourapp.com/api/user/profile
# 3. Permissive CORS allows request with session cookie
# 4. Server responds with user's sensitive profile
# 5. evil.com exfiltrates user data

GOOD Code Example

# SECURE: Maintain a strict allowlist of trusted origins.
from flask import Flask, request, jsonify

app = Flask(__name__)

# Strict allowlist of permitted origins.
ALLOWED_ORIGINS = {
    "https://www.yourapp.com",
    "https://yourapp.com",
    "https://staging.yourapp.com"
}

@app.after_request
def add_secure_cors_headers(response):
    origin = request.headers.get('Origin')
    if origin in ALLOWED_ORIGINS:
        # Set header only if origin in trusted list.
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
        # Vary tells caches response depends on Origin.
        response.headers['Vary'] = 'Origin'
    return response

@app.route("/api/user/profile")
def get_profile_secure():
    user = get_user_from_session()
    return jsonify(user.to_dict())

# Script from https://evil.com: origin not in ALLOWED_ORIGINS,
# no CORS headers sent. Browser same-origin policy blocks request.

Detection

Use browser developer tools: Open the "Network" tab, make a cross-origin request to your API, and inspect the response headers. Look for Access-Control-Allow-Origin. Is it *? Does it match the Origin of your request even if that origin is untrusted?
Use curl: Make a request and set a custom Origin header to see if the server reflects it: curl -H "Origin: https://evil.com" -I https://yourapp.com/api/some-endpoint Check if the response contains Access-Control-Allow-Origin: https://evil.com.
Review CORS configuration: Check your application's code or framework configuration for how CORS headers are being set. Look for wildcards or reflected origins.

Prevention

[ ] Maintain strict allowlist: Most critical step. Define trusted origins explicitly.
[ ] Never reflect Origin header: Validate against allowlist before reflecting.
[ ] Avoid wildcard on authenticated endpoints: * unsafe for endpoints using cookies or Authorization headers. Only use for public, unauthenticated resources.
[ ] Use Access-Control-Allow-Credentials carefully: Set to true only when necessary and only for allowlisted origins.
[ ] Add Vary: Origin header: Tells caches response depends on Origin. Prevents cached response for trusted origin being served to malicious one.

Related Security Patterns & Anti-Patterns

Missing Security Headers Anti-Pattern: CORS is a key part of the broader suite of security headers an application must manage.
Cross-Site Scripting (XSS) Anti-Pattern: An attacker could use a permissive CORS policy to exfiltrate data stolen via an XSS attack.

References

OWASP Top 10 A02:2025 - Security Misconfiguration
OWASP GenAI LLM07:2025 - System Prompt Leakage
OWASP API Security API8:2023 - Security Misconfiguration
OWASP CORS Cheat Sheet
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
PortSwigger - CORS Vulnerabilities
Source: sec-context

Related Skills

igbuend/xss-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xss-anti-pattern

igbuend/xpath-injection-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xpath-injection-anti-pattern

igbuend/weak-password-hashing-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-password-hashing-anti-pattern

igbuend/weak-encryption-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-encryption-anti-pattern

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/igbuend/grimbard.git

# Copy into Claude Code skills folder (global)
cp -r grimbard/skills/open-cors-anti-pattern ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

igbuend/grimbard

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT