CORS allows any origin (wildcard)

CORS (Cross-Origin Resource Sharing) controls which external websites are allowed to make requests to your server. Your site currently allows any website to make these requests (a "wildcard" setting). For public APIs that are meant to be open, a wildcard is fine. But for endpoints that return user data or perform sensitive actions, allowing any origin means a malicious website could silently make requests on behalf of your logged-in users. In your server or CDN configuration, change the Access-Control-Allow-Origin header from a wildcard to an explicit list of the domains that legitimately need access. Your developer can do this in a single config line.

Why this matters

For public APIs that are meant to be open, a wildcard is fine. But for endpoints that return user data or perform sensitive actions, allowing any origin means a malicious website could silently make requests on behalf of your logged-in users.

How to fix it

In your server or CDN configuration, change the Access-Control-Allow-Origin header from a wildcard to an explicit list of the domains that legitimately need access. Your developer can do this in a single config line.