Cors Wildcard in Chi with Mutual Tls

When a Chi-based service enables a Cors wildcard (Allow-Origin: *) alongside Mutual TLS, the combination can unintentionally broaden the attack surface despite the presence of client certificate validation. Mutual TLS authenticates the client by verifying a certificate, but CORS is a browser-enforced policy applied after the TLS handshake. A wildcard origin does not restrict which origins can read the response; it only indicates that any origin may make the request. In a Chi application, if the CORS policy is configured permissively while the server requires client certificates, a browser-based frontend hosted on any origin can still issue authenticated requests using the client certificate presented by the user’s browser (e.g., via a corporate PKI or injected certificate). This can lead to unauthorized cross-origin access to sensitive endpoints, data exposure, or token leakage through Referer headers or CORS preflight responses.

Chi does not enforce CORS at the TLS layer; it operates at the HTTP routing level. If the developer applies a wildcard Access-Control-Allow-Origin header while relying on Mutual TLS for access control, the browser may still allow cross-origin JavaScript to read responses. Attackers can craft malicious pages that leverage the permissive CORS header and the client’s valid certificate to exfiltrate data. This is especially risky when endpoints return sensitive user information or authentication tokens. The vulnerability is not in Mutual TLS itself, but in the misalignment between transport-layer authentication and application-layer origin policies. An OpenAPI spec that defines CORS headers without accurate origin restrictions can further mislead developers into believing the service is more constrained than it is at runtime.

For example, consider a Chi endpoint that validates client certificates and returns user profile data. If the CORS policy sets Access-Control-Allow-Origin: *, any webpage—regardless of its origin—can make authenticated requests using the client’s certificate if the user’s browser possesses one. This undermines the principle of same-origin policy and can facilitate cross-site request forgery or data leakage in scenarios where the client certificate is automatically presented by the browser. The scanner may flag this as a CORS misconfiguration finding, noting that a wildcard origin conflicts with the expectation of origin-bound access even when Mutual TLS is in use.

To remediate the interaction between CORS wildcard and Mutual TLS in Chi, tighten the CORS policy to specific origins and ensure that client certificate validation is treated as an authentication signal rather than an origin control. Below are concrete examples using the CorsPolicy builder in Chi, paired with explicit Mutual TLS configuration.

Chi CORS with specific origins and Mutual TLS

// Chi server with restricted CORS and Mutual TLS client certificate validation
open System.Security.Cryptography.X509Certificates;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using CORS = Microsoft.AspNetCore.Cors;

var builder = WebApplication.CreateBuilder(args);

// Configure Kestrel to require client certificates for Mutual TLS
builder.WebHost.ConfigureKestrel(serverOptions =>
{
    serverOptions.ListenAnyIP(5001, listenOptions =>
    {
        listenOptions.UseHttps(httpsOptions =>
        {
            httpsOptions.ServerCertificate = new X509Certificate2("server.pfx", "password");
            httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
            httpsOptions.AllowAnyClientCertificate();
        });
    });
});

// Define allowed origins explicitly — avoid wildcard when Mutual TLS is used
builder.Services.AddCors(options =>
{
    options.AddPolicy("SecurePolicy", policy =>
    {
        policy.WithOrigins("https://trusted.example.com", "https://app.example.com")
              .AllowAnyMethod()
              .AllowAnyHeader();
    });
});

var app = builder.Build();
app.UseCors("SecurePolicy");

app.MapGet("/profile", (HttpContext context) =>
{
    // Client certificate is validated by Kestrel; user info may be derived from cert
    var cert = context.Connection.ClientCertificate;
    return Results.Ok(new { Subject = cert?.Subject });
}).RequireHttps();

app.Run();

Chi CORS with policy based on request origin and Mutual TLS

// More dynamic CORS handling that inspects the Origin header while requiring certs
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
    options.AddPolicy("DynamicOrigin", policy =>
    {
        policy.WithOrigins("https://trusted.example.com")
              .SetIsOriginAllowed(origin => origin.Equals("https://trusted.example.com", StringComparison.OrdinalIgnoreCase))
              .AllowAnyMethod()
              .AllowAnyHeader();
    });
});

var app = builder.Build();
app.UseCors("DynamicOrigin");

app.MapPost("/data", (HttpRequest request) =>
{
    var cert = request.HttpContext.Connection.ClientCertificate;
    if (cert == null)
    {
        return Results.Unauthorized();
    }
    // Process data with client identity from cert
    return Results.Ok();
}).RequireHttps();

app.Run();

In both examples, the CORS policy avoids a wildcard and explicitly enumerates trusted origins. This prevents browsers from making cross-origin requests from untrusted domains, even if the client presents a valid certificate. The Mutual TLS configuration ensures that only clients with acceptable certificates can reach the endpoint, but the CORS policy remains the gatekeeper for browser-based access. Additionally, ensure that sensitive responses do not include overly broad CORS headers and that the server does not reflect arbitrary origin values into Access-Control-Allow-Origin.