You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(cors): add Security section on wildcard origin + credentials (#277)
Upstream echo#2400 asked for the docs to explain the danger of combining a
wildcard origin with AllowCredentials, and the maintainer asked for a security
block on echo.labstack.com. The page only had a one-line caution that didn't
explain the behaviour or v5's enforcement.
Expand it into a "Security" section that explains:
- the danger: wildcard origin + AllowCredentials:true reflects any Origin back,
enabling credentialed cross-origin attacks;
- v5's enforcement: CORS / CORSWithConfig panic and ToMiddleware() returns an
error rather than building an insecure middleware;
- the safe pattern (explicit origins) and UnsafeAllowOriginFunc for dynamic
validation.
Applied across all five locales (translated prose, identical code block).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: site/src/content/docs/es/middleware/cors.md
+20-5Lines changed: 20 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,8 +117,23 @@ CORSConfig{
117
117
}
118
118
```
119
119
120
-
:::caution[Seguridad]
121
-
Nunca combines `AllowCredentials = true` con un wildcard `AllowOrigins`. Cuando necesites
122
-
validación dinámica de origin, usa `UnsafeAllowOriginFunc` y valida con cuidado:
123
-
los atacantes pueden registrar nombres de (sub)dominio hostiles.
124
-
:::
120
+
## Seguridad
121
+
122
+
Un origin con wildcard (`AllowOrigins: []string{"*"}`) combinado con `AllowCredentials: true`
123
+
es peligroso: reflejaría el `Origin` de **cualquier** petición en
124
+
`Access-Control-Allow-Origin`, permitiendo que una página de cualquier sitio haga peticiones
125
+
cross-origin con credenciales a tu API (consulta [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)).
126
+
127
+
Echo rechaza esta combinación en lugar de construir un middleware inseguro: `CORS` y
128
+
`CORSWithConfig` hacen **panic**, y `CORSConfig.ToMiddleware()` devuelve un error. Para permitir
129
+
peticiones con credenciales, enumera explícitamente los orígenes de confianza:
Copy file name to clipboardExpand all lines: site/src/content/docs/pt-br/middleware/cors.md
+20-5Lines changed: 20 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,8 +117,23 @@ CORSConfig{
117
117
}
118
118
```
119
119
120
-
:::caution[Segurança]
121
-
Nunca combine `AllowCredentials = true` com um wildcard `AllowOrigins`. Quando precisar
122
-
de validação dinâmica de origem, use `UnsafeAllowOriginFunc` e valide cuidadosamente —
123
-
atacantes podem registrar nomes de (sub)domínio hostis.
124
-
:::
120
+
## Segurança
121
+
122
+
Um origin curinga (`AllowOrigins: []string{"*"}`) combinado com `AllowCredentials: true`
123
+
é perigoso: ele refletiria o `Origin` de **qualquer** requisição em
124
+
`Access-Control-Allow-Origin`, permitindo que uma página de qualquer site faça requisições
125
+
cross-origin com credenciais à sua API (veja [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)).
126
+
127
+
O Echo recusa essa combinação em vez de construir um middleware inseguro: `CORS` e
128
+
`CORSWithConfig` causam **panic**, e `CORSConfig.ToMiddleware()` retorna um erro. Para permitir
129
+
requisições com credenciais, liste explicitamente as origens confiáveis:
0 commit comments