CORS
The toHaveSecureCORS() matcher tests CORS configuration for misconfigurations. Pass a Playwright APIRequestContext and a URL.
Basic Usage
Section titled “Basic Usage”import { test, expect } from "@orlalabs/kovar";
test("API has secure CORS", async ({ request }) => { await expect(request).toHaveSecureCORS("/api/data");});What It Checks
Section titled “What It Checks”The matcher sends preflight requests with untrusted origins and checks for:
| Check | Severity |
|---|---|
| Reflects untrusted origin with credentials | critical |
Wildcard origin (*) with credentials | critical |
Wildcard origin (*) | high |
| Reflects untrusted origin without credentials | high |
Wildcard Access-Control-Allow-Headers | high |
| Allows dangerous methods (PUT, DELETE, PATCH) | medium |
CWE mappings:
Options
Section titled “Options”await expect(request).toHaveSecureCORS("/api/data", { trustedOrigins: ["https://app.example.com"], // origins that should be allowed dangerousOrigins: ["null", "http://evil.com"], // origins to test against (default: ["null", "http://evil.com"])});| Option | Type | Description |
|---|---|---|
trustedOrigins | string[] | Origins that should be allowed by the CORS policy |
dangerousOrigins | string[] | Origins to test against (default: ["null", "http://evil.com"]) |
url | string | URL to test (defaults to current page URL) |
Using the Fixture
Section titled “Using the Fixture”import { test, expect } from "@orlalabs/kovar";
test("CORS audit", async ({ page, security }) => { await page.goto("/dashboard");
// Inspect findings: const corsFindings = await security.cors.check(); const critical = corsFindings.filter((f) => f.severity === "critical"); expect(critical).toHaveLength(0);});Related
Section titled “Related”- CSRF — CORS and CSRF protections work together.
- Authentication — authentication bypasses can be amplified by CORS misconfigurations.
- Full Audit — include CORS in a comprehensive audit with
checks: ["cors"]. - Standalone API — use
checkCORS()outside Playwright.