Security: CORS allow_origin(Any) exposes API to browser-based attacks #74

New issue

Open

opened 2026-05-11 13:48:49 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:49 +00:00

Owner

Severity: High

Location

crates/hero_aibroker_server/src/api_openrouter/mod.rs:

let cors = CorsLayer::new()
    .allow_origin(Any)
    .allow_methods(Any)
    .allow_headers(Any);

Finding

All three CORS dimensions are set to Any: any origin, any method, any headers. Combined with API key authentication, this enables:

CSRF attacks from malicious websites
Cross-origin API key theft via browser
Unauthorized use from any web page

Recommendation

Restrict allow_origin to known origins from config
Never use Any for methods — whitelist only needed HTTP verbs
Audit whether browser-based access is even intended (UDS-only deployment suggests no)

## Severity: High ## Location `crates/hero_aibroker_server/src/api_openrouter/mod.rs`: ```rust let cors = CorsLayer::new() .allow_origin(Any) .allow_methods(Any) .allow_headers(Any); ``` ## Finding All three CORS dimensions are set to `Any`: any origin, any method, any headers. Combined with API key authentication, this enables: - CSRF attacks from malicious websites - Cross-origin API key theft via browser - Unauthorized use from any web page ## Recommendation - Restrict `allow_origin` to known origins from config - Never use `Any` for methods — whitelist only needed HTTP verbs - Audit whether browser-based access is even intended (UDS-only deployment suggests no)