Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Audits a CORS configuration (Express middleware, NGINX directives, or a CDN policy) for known over-permissive patterns and proposes a tightened policy grounded in observed cross-origin call patterns from access logs.
config_path: file containing the CORS config (e.g., app.ts, nginx.conf, cdn-policy.json).access_log: a sample of request logs covering at least 7 days, with Origin headers preserved.allowed_clients: explicit list of trusted client origins.Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, Access-Control-Max-Age.Allow-Origin: * combined with Allow-Credentials: true is invalid per spec; flag as blocker.Allow-Origin: * on endpoints that accept authenticated requests should be replaced with explicit origins.Allow-Methods containing methods the server doesn't actually expose (e.g., OPTIONS, GET, POST, PUT, DELETE, PATCH when only GET is implemented).Allow-Headers: * permits anything; replace with the actual set used.access_log, harvest observed values: distinct Origin values, distinct Access-Control-Request-Method, distinct Access-Control-Request-Headers.allowed_clients. Origins outside the allowlist with non-trivial traffic indicate either expected partner integrations or potential attack reconnaissance — surface both.Allow-Credentials: true only on endpoints that need cookies.Max-Age to 600 if currently unset.cors-review.md containing: current config summary, smells with severity, observed-origin table, proposed tightened policy (paste-ready snippet), rollout checklist. Plus cors-tightened.<ext> for direct application.
Deploy the tightened policy in a staging environment and run a synthetic test: from each origin in the new allowlist, send a preflight (OPTIONS) and the actual request; confirm 2xx. From an origin NOT in the allowlist, confirm the browser blocks the response (the server may still echo permissive headers if proxied; verify at the browser layer). Watch error logs for 7 days; partner origins missed in the audit will surface as 4xx spikes.
*.company.com): allow but require an explicit subdomain regex rather than a star.null (file:// or sandboxed iframes): generally should not be permitted; flag as suspicious.Sec-Fetch-Site.Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/cors-policy-reviewer.
Diff two OpenAPI YAML files and produce a backwards-compatibility changelog grouped into breaking, non-breaking, and additive changes.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.
Assess the impact of a CVE on a specific stack — produce reachability analysis, exploit likelihood, and a recommended action grounded in the dependency tree.