Fix
CORS Wildcard Too Broad
Avoid Access-Control-Allow-Origin: * for sensitive endpoints (especially with credentials).
InfoCategory: cors
Related checks
Fix steps
- For authenticated endpoints, allowlist specific origins.
- Do not use '*' with Access-Control-Allow-Credentials: true.
- Handle OPTIONS preflight correctly.