Why is dynamic origin reflection flagged as critical?

Reflecting any incoming 'Origin' header effectively disables CORS protection. If combined with 'Access-Control-Allow-Credentials: true', it allows any site to make authenticated requests to your API.

Can this skill detect regex bypasses in origin validation?

Yes, it specifically looks for weak regex patterns like 'example.com$' which can be bypassed by domains like 'evil-example.com'.

Does it support PHP frameworks like Laravel or Symfony?

Yes, the skill uses grep patterns to scan generic PHP code, middleware, and configuration files (YAML/PHP) used by all major frameworks for CORS settings.

What is the primary purpose of the check-cors-security skill?

It identifies vulnerabilities in PHP applications where Cross-Origin Resource Sharing is improperly configured, helping prevent data theft and unauthorized cross-site access.

PHP CORS Security Auditor

Name: PHP CORS Security Auditor
Author: dykyi-roman

bydykyi-roman

•

보안 및 테스팅

Audits PHP applications for CORS misconfigurations to prevent unauthorized cross-origin resource access and security bypasses.

This skill enables Claude to perform comprehensive security audits of PHP-based CORS configurations, specifically targeting OWASP A05:2021 security misconfigurations. It scans codebases for critical vulnerabilities such as wildcard origins, unsafe dynamic origin reflection, and weak regex patterns that allow domain bypasses. By identifying missing preflight handling and incorrect 'Vary' headers, it helps developers implement robust, production-ready security policies that protect sensitive data while maintaining API interoperability.

주요 기능

01Checks for missing 'Vary: Origin' headers to prevent CDN caching vulnerabilities

02Validates regex-based origin matching to prevent common bypass techniques

0345 GitHub stars

04Analyzes preflight OPTIONS request handling for API compliance and security

05Identifies unsafe dynamic origin reflection in PHP middleware and controllers

06Detects dangerous wildcard origins and credential misconfiguration patterns

사용 사례

01Performing security reviews of PHP APIs before production deployment

02Hardening API security to meet OWASP A05:2021 compliance standards

03Refactoring legacy CORS middleware to align with modern security best practices

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-cors-security

For use in Claude.ai and ChatGPT

Download Skill