Detects permissive CORS configurations in Middy middleware. This rule is part of [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plugin-l

Keywords: CORS, Middy, Lambda middleware, CWE-942, security, wildcard origin

Detects permissive CORS configurations in Middy middleware. This rule is part of eslint-plugin-lambda-security.

⚠️ This rule errors by default in the recommended config.

Quick Summary

Aspect	Details
CWE Reference	CWE-942 (Permissive Cross-domain Policy)
Severity	🔴 High
Auto-Fix	✅ Yes
Category	Security
Best For	Lambda functions using Middy middleware

Vulnerability and Risk

Vulnerability: Middy's @middy/http-cors middleware configured with origin: '*' allows any website to access your API.

Risk: Same as permissive CORS in responses - credential theft and unauthorized API access.

Examples

❌ Incorrect

import middy from '@middy/core';
import cors from '@middy/http-cors';

// Wildcard origin - VULNERABLE
export const handler = middy(baseHandler).use(cors({ origin: '*' }));

// No origin = defaults to '*' - VULNERABLE
export const handler = middy(baseHandler).use(cors());

// credentials with wildcard - CRITICAL
export const handler = middy(baseHandler).use(
  cors({
    origin: '*',
    credentials: true,
  }),
);

✅ Correct

import middy from '@middy/core';
import cors from '@middy/http-cors';

// Specific origin - SAFE
export const handler = middy(baseHandler).use(
  cors({
    origin: 'https://app.example.com',
  }),
);

// Multiple origins - SAFE
export const handler = middy(baseHandler).use(
  cors({
    origins: ['https://app.example.com', 'https://admin.example.com'],
  }),
);

// Dynamic origin validation - SAFE
export const handler = middy(baseHandler).use(
  cors({
    origin: (incomingOrigin) => {
      const allowed = ['https://app.example.com'];
      return allowed.includes(incomingOrigin) ? incomingOrigin : '';
    },
  }),
);

Options

Option	Type	Default	Description
`allowInTests`	`boolean`	`false`	Allow permissive CORS in test files

{
  "rules": {
    "lambda-security/no-permissive-cors-middy": "error"
  }
}

no-permissive-cors-response - CORS in direct responses

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Options from Variable

Why: CORS options stored in variables are not analyzed.

// ❌ NOT DETECTED - Options from variable
const corsOptions = { origin: '*' };
export const handler = middy(baseHandler).use(cors(corsOptions));

Mitigation: Use inline CORS options. Validate config at startup.

Dynamic Origin Validation Flaws

Why: The logic inside origin validation functions is not analyzed.

// ❌ NOT DETECTED - Flawed validation
cors({
  origin: (incomingOrigin) => incomingOrigin, // Always returns origin!
});

Mitigation: Use exact match with allowlist. Test validation logic.

Spread Configuration

Why: Spread objects hide their configuration.

// ❌ NOT DETECTED - Origin in spread
const base = { origin: '*' };
export const handler = middy(baseHandler).use(cors({ ...base }));

Mitigation: Avoid spreading CORS options. Define inline.

Middleware Chain Variables

Why: Middleware stored in variables may not be recognized.

// ❌ NOT DETECTED - Middleware from variable
const corsMiddleware = cors({ origin: '*' });
export const handler = middy(baseHandler).use(corsMiddleware);

Mitigation: Use inline middleware configuration.

Resources

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-942 OWASP:A01 CVSS:7.5 | CORS Misconfiguration detected | HIGH
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/

Message Components

Component	Purpose	Example
Risk Standards	Security benchmarks	CWE-942 OWASP:A01 CVSS:7.5
Issue Description	Specific vulnerability	`CORS Misconfiguration detected`
Severity & Compliance	Impact assessment	`HIGH`
Fix Instruction	Actionable remediation	`Follow the remediation steps below`
Technical Truth	Official reference	OWASP Top 10

no-permissive-cors-middy

On this page