← all rules
code/js-cors-wildcard-credentials
CORS: wildcard origin with credentials allowed
What it detects
Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true is insecure (and ignored by browsers, usually silently). Use an explicit origin list.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.