1 article with this tag
CORS is how the browser controls whether another origin's JS can read your API responses. A misconfiguration — reflecting any Origin, or Access-Control-Allow-Origin:* with credentials — lets a third-party site read logged-in data. The real defense: an allowlist, don't blindly reflect Origin, default deny.