HIGH cors wildcardsailsapi keys

Cors Wildcard in Sails with Api Keys

Scan for cors wildcard in sails

Cors Wildcard in Sails with Api Keys — how this specific combination creates or exposes the vulnerability

A CORS wildcard (origin: *) combined with API key authentication in a Sails.js application can unintentionally expose privileged endpoints to any website. When cors.allRoutes is set to true with origin: '*' and credentials are enabled, browsers include cookies or authorization headers across origins, allowing a malicious site to make authenticated requests on behalf of a user who has an API key stored in client-side JavaScript.

API keys are often passed in headers such as x-api-key. If a Sails app validates the key but still responds to cross-origin requests via a wildcard, an attacker can embed the target endpoint in a frontend script and harvest keys or data. This situation violates the principle that authentication mechanisms should reduce the attack surface exposed to untrusted origins. The combination is especially risky when the API key has broad permissions, because the key is effectively leaked to any site that can execute JavaScript in the victim’s browser.

During a middleBrick scan, which tests the unauthenticated attack surface in 5–15 seconds, such misconfigurations appear in the CORS and Authentication checks. The scan correlates the wildcard origin with exposed routes that accept API keys and flags the risk of unauthorized cross-origin access. This maps to the OWASP API Top 10 controls for security misconfiguration and can be tied to findings under frameworks such as PCI-DSS and SOC2.

An example vulnerable Sails configuration:

// config/cors.js
module.exports.cors = {
  allRoutes: true,
  origin: '*',
  credentials: true
};

An example vulnerable route that relies on an API key header but is reachable from any origin:

// api/controllers/KeyController.js
module.exports = {
  getSecret: function (req, res) {
    const providedKey = req.headers['x-api-key'];
    if (providedKey !== process.env.API_KEY) {
      return res.status(401).send('Invalid key');
    }
    return res.ok({ secret: 'confidential-data' });
  }
};

In this setup, a site under attacker control can load /key/getSecret with XMLHttpRequest or fetch, and if the user’s browser sends the API key via headers or cookies, the attacker can obtain sensitive information. middleBrick’s cross-referencing of the OpenAPI spec with runtime behavior would highlight that a route guarded by an API key still responds to a wildcard CORS policy, providing prioritized remediation guidance.

Api Keys-Specific Remediation in Sails — concrete code fixes

To secure a Sails application, restrict CORS to known origins and avoid credentials with wildcards when API keys are used. Prefer explicit origin allowlisting and tie authentication to the same-origin policy or use CSRF tokens for state-changing requests. API keys should not be validated in a way that is origin-permissive.

Correct CORS configuration that disables wildcard origins and credentials together:

// config/cors.js
module.exports.cors = {
  allRoutes: true,
  origin: ['https://trusted.example.com', 'https://app.example.com'],
  credentials: false
};

If credentials must be used for a specific route, narrow the origin to exact trusted domains and enforce additional checks within the controller:

// config/cors.js
module.exports.cors = {
  allRoutes: false,
  origin: [
    {
      origin: 'https://trusted.example.com',
      credentials: true
    }
  ]
};

Controller-side validation that checks both the API key and the request origin:

// api/controllers/KeyController.js
const ALLOWED_ORIGIN = 'https://trusted.example.com';

module.exports = {
  getSecret: function (req, res) {
    const origin = req.headers.origin;
    if (origin !== ALLOWED_ORIGIN) {
      return res.status(403).send('CORS policy violation');
    }

    const providedKey = req.headers['x-api-key'];
    if (providedKey !== process.env.API_KEY) {
      return res.status(401).send('Invalid key');
    }

    return res.ok({ secret: 'confidential-data' });
  }
};

For broader protection, use a policy that validates API keys early in the request lifecycle, such as a custom hook or policies/ entry, and ensure that routes requiring keys are not exposed to wildcard origins. middleBrick’s CLI can be used to verify that no route with an API key check has an origin wildcard, and the GitHub Action can enforce that any changes to CORS or authentication settings do not introduce this regression.

When using the middleBrick Pro plan, continuous monitoring can alert you if a future configuration change introduces a wildcard origin on a key-protected endpoint. The dashboard and compliance reports help track security posture over time without assuming automatic remediation.

Related CWEs: dataExposure

CWE IDNameSeverity
CWE-200Exposure of Sensitive Information HIGH
CWE-209Error Information Disclosure MEDIUM
CWE-213Exposure of Sensitive Information Due to Incompatible Policies HIGH
CWE-215Insertion of Sensitive Information Into Debugging Code MEDIUM
CWE-312Cleartext Storage of Sensitive Information HIGH
CWE-359Exposure of Private Personal Information (PII) HIGH
CWE-522Insufficiently Protected Credentials CRITICAL
CWE-532Insertion of Sensitive Information into Log File MEDIUM
CWE-538Insertion of Sensitive Information into Externally-Accessible File HIGH
CWE-540Inclusion of Sensitive Information in Source Code HIGH
Scan for cors wildcard in sails Free API security scan

Frequently Asked Questions

Can a CORS wildcard be safe if API keys are not used?
A wildcard origin can still be risky even without API keys because it allows any website to make authenticated requests on behalf of a user via cookies or other credentials. Prefer specific origins to limit exposure.
How does middleBrick detect CORS misconfigurations with API keys?
middleBrick runs parallel security checks including CORS and Authentication. It cross-references the OpenAPI spec definitions with runtime behavior to identify when a route protected by API keys responds to a wildcard origin.

Related Pages

Cors Wildcard in SailsSails CORS wildcard misconfigurations create dangerous cross-origin attack surfaces. Learn Sails-specific detection and Cors Wildcard with Api KeysLearn how CORS wildcard configurations create API key vulnerabilities and how to detect and fix them with proper origin Cors Wildcard in Sails on CloudflareUnderstand how CORS wildcard misconfigurations in Sails apps behind Cloudflare create security risks and apply concrete Cors Wildcard in Sails on HerokuUnderstand how CORS wildcard misconfigurations in Sails on Heroku expose APIs, and apply concrete fixes with environmentCors Wildcard in Sails on AzureCORS wildcard risks in Sails hosted on Azure, with secure configuration examples and Azure-specific hardening guidance.Cors Wildcard in Sails on DockerCORS wildcard risks in Sails running inside Docker, with Docker-specific remediation and configuration examples.Pci Dss: Cors Wildcard in SailsExplore how wildcard CORS in Sails can conflict with Pci DSS, and apply concrete configuration fixes to restrict originsSoc2: Cors Wildcard in SailsUnderstand how wildcard CORS in Sails affects SOC 2 controls and apply concrete fixes with code examples for origin alloIso 27001: Cors Wildcard in SailsUnderstand the conflict between wildcard CORS and ISO 27001 in Sails, and apply concrete remediation with code examples.Cis: Cors Wildcard in SailsUnderstanding Cis risks with wildcard CORS in Sails and secure configuration patterns with concrete code examples.Cors Wildcard in Sails with DynamodbCORS wildcard risks in Sails with DynamoDB: causes, remediation, and code examples for securing origins and tenant isolaCors Wildcard in Sails with CockroachdbAnalyze CORS wildcard risks with CockroachDB in Sails, with concrete remediation code and policy checks.