Why does "CORS null Origin risk" appear in ExposureGrid?

Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.

Could this be a false positive?

Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.

What should I do after changing configuration?

Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.

CORS null Origin risk

Scan your domain

CORS null Origin risk: what it means, why it may matter, and how to remediate with external verification using ExposureGrid.

The problem

CORS null Origin risk: CORS headers decide which web origins may read responses in a browser. Misconfigurations can widen who can access browser-visible data.

Why it matters

Risk depends on whether responses contain sensitive data and whether cookies or credentials are involved. Some issues are high-signal; others need app-specific review.

How to check

Test with controlled cross-origin requests and review ACAO/ACAC/Vary headers on API and page routes. Re-run ExposureGrid after policy changes.

How to fix

Prefer explicit origin allowlists. Never combine Access-Control-Allow-Credentials: true with wildcard ACAO. Add Vary: Origin when ACAO varies by requester. Minimize exposed headers and allowed methods.

Identify owners for the affected component (app, edge, DNS, or mail).
Make a minimal change and validate in staging or a canary route.
Deploy with monitoring and rollback readiness.
Re-run ExposureGrid to confirm the external signal improved.

Run a scan to verify this fix on your domain

Use the same public scanner as the homepage — results honor your plan tier.

Scan your domain

What ExposureGrid checks

ExposureGrid probes multiple origins and routes to surface patterns like reflection, wildcards, and missing Vary where dynamic ACAO is used.

FAQ

Why does "CORS null Origin risk" appear in ExposureGrid?: Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.
Could this be a false positive?: Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.
What should I do after changing configuration?: Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.

ExposureGrid continuously monitors these issues and alerts you before they become exploitable.

Start monitoring your domain Scan your domain

Run a private scan

Compare plans

Start free scan Compare plans