← all rules

code/fastapi-cors-wildcard-credentials

FastAPI CORS allows any origin with credentials

highFramework-awareframework:fastapiCWE-942python

What it detects

CORSMiddleware with `allow_origins=['*']` together with `allow_credentials=True` lets any site make credentialed cross-origin requests — the browser will not block it, defeating the same-origin policy.

How it runs

Gated on framework detection: the repo's manifests (package.json, requirements.txt, pom.xml, Gemfile, composer.json) are read to identify the stack, and the rule only runs against matching-language files when its framework is present.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.