While exploring a few public websites last week, I stumbled upon a surprisingly common yet dangerous combination of vulnerabilities — CORS misconfiguration and lack of API rate limiting.

These two issues, together, could allow any attacker to fetch data from protected APIs and overwhelm the server with thousands of requests. In this post, I’ll explain what I found, why it’s a problem, and how you can protect your applications.

🔍 What I Discovered

I was casually inspecting the network requests of a few websites and noticed something odd:

  1. Their APIs responded to requests from any origin.
  2. There was no authentication or token-based validation in place.
  3. Even worse, I could send unlimited requests — no rate limiting at all!

Using just a browser or tools like Postman, I could:

  • Access data that should’ve been private
  • Simulate a Denial-of-Service (DoS) attack by sending rapid requests
  • Fetch and manipulate API data without being on the same domain

cors error, cors misconfigure

🔐 Let’s Talk About CORS

CORS (Cross-Origin Resource Sharing) is a security feature implemented by browsers that restricts web pages from making requests to a different domain than the one that served the page.

⚠️ The Misconfiguration

The affected websites had this kind of header:

Access-Control-Allow-Origin: *

That * wildcard means any website (even malicious ones) can make requests to this API and get a response.

💣 No API Rate Limiting = Major Exploitation Risk

To make things worse, their server didn’t implement any rate limiting. This means I could send thousands of requests per second without any throttling or blocking.

📉 Why That’s Dangerous:

  • Resource Exhaustion: Servers can get overwhelmed and crash.
  • Cost Spike: For APIs hosted on cloud platforms, excessive requests = higher billing.
  • Easy for Bots and Scrapers: Anyone can write a script and steal your data.

🛡️ How to Prevent This

✅ Secure CORS Configuration
Never use Access-Control-Allow-Origin: * in production for sensitive endpoints.

Use something like:

Access-Control-Allow-Origin: https://your-frontend.com

And set proper headers:
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization

✅ Implement Rate Limiting

If you’re using Node.js (Express.js), you can use libraries like express-rate-limit:

const rateLimit = require("express-rate-limit");

const limiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 100, // limit each IP to 100 requests per minute
});

app.use('/api/', limiter);

📌 Key Takeaways

  • CORS should never be wide open unless the data is truly public.
  • Rate limiting is essential for every production-grade API.
  • Even small misconfigurations can open the door to serious security issues.
  • Always audit your APIs regularly for vulnerabilities.