ast/wildcard-cors-via-set-header
CORS misconfiguration: Access-Control-Allow-Origin set to '*' via response header
What it detects
res.setHeader / res.set / res.header / ctx.set was called to assign Access-Control-Allow-Origin: '*'. Combined with any cookie-bearing endpoint this lets any web origin issue authenticated requests against your API and read the response. AI assistants reach for this when asked to 'fix CORS' without using the cors package. Replace with an explicit allow-list of origins, validated per request.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.