Dynamic Origin reflection with Credentials: true allows any site to read authenticated user data.
Browsers block `Access-Control-Allow-Origin: *` combined with `Access-Control-Allow-Credentials: true`. But developers "fix" this by reflecting the `Origin` header dynamically — any domain becomes allowed, and since credentials (cookies, HTTP auth) are allowed, any site can read your users’ data. This is worse than the wildcard it was trying to avoid.
// VULNERABLE — dynamic origin reflection
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
next();
});
// Any attacker-controlled site can now read authenticated user data
// FIXED — explicit allowlist
const ALLOWED_ORIGINS = ['https://app.pulllight.io', 'https://pulllight.io'];
app.use((req, res, next) => {
const origin = req.headers.origin;
if (ALLOWED_ORIGINS.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
}
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
next();
});
pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)