Backend safety

no-permissive-cors

Flag `cors({ origin:"*", credentials:true })` and reflect-any-origin handlers.

Browsers reflect the caller's origin when credentials are enabled, so `origin: "*"` with `credentials: true` is functionally "allow any site to make authenticated requests on the user's behalf." Covers the cors() option object, the `origin: (o, cb) => cb(null, true)` reflect callback, and the manual-header form via `res.setHeader`.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

app.use(cors({ origin: "*", credentials: true }));

Good:

app.use(cors({ origin: ["https://app.example.com"], credentials: true }));

Related rules

• secure-cookiesRequire httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.
• no-disabled-tlsFlag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.
• safe-redirectFlag redirects derived from request input (open redirect / phishing path).

Use it

Enable no-permissive-cors in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-permissive-cors': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules