CORS

CORS (Cross-Origin Resource Sharing) is the browser mechanism that decides whether JavaScript on one origin may read the response from a request to a different origin. Misconfigured CORS — reflecting any Origin while also allowing credentials, or returning Access-Control-Allow-Origin: null — can hand attacker sites the ability to read authenticated data. Tighten it to an explicit allowlist.