DEV Community

Cover image for Secure Symfony APIs: Prevent CORS Misconfigurations
Pentest Testing Corp
Pentest Testing Corp

Posted on

Secure Symfony APIs: Prevent CORS Misconfigurations

#cybersecurity #vulnerabilities #symfony #webdev

Building an API with Symfony? If so, you've likely stumbled upon Cross-Origin Resource Sharing (CORS) errors when integrating with front-end apps or mobile clients. Misconfigured CORS headers can unintentionally expose sensitive data—here’s how to avoid that.

🚨 What is CORS and Why Misconfigurations Matter

Browsers enforce the Same-Origin Policy, restricting scripts from one origin (scheme + domain + port) to access resources from another. CORS is a controlled exception, letting the server explicitly allow safe cross-origin requests.

Secure Symfony APIs: Prevent CORS Misconfigurations

However, wildcard origins (*) or echoing the Origin header back, often paired with Access-Control-Allow-Credentials: true, can create vulnerabilities by exposing private user data to attackers.

Common Unsafe Patterns 

# config/packages/nelmio_cors.yaml
nelmio_cors:
  defaults:
    allow_origin: ['*']      # ❌ Too permissive
    allow_headers: ['*']
    allow_methods: ['*']
Enter fullscreen mode Exit fullscreen mode

Or even riskier: dynamically reflecting the Origin header, effectively allowing all origins.

🔒 Best Practice with NelmioCorsBundle in Symfony

Use the nelmio/cors-bundle and whitelist specific trusted domains.

composer require nelmio/cors-bundle
Enter fullscreen mode Exit fullscreen mode 
# config/packages/nelmio_cors.yaml
nelmio_cors:
  defaults:
    origin_regex: true
    allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
    allow_headers: ['Content-Type','Authorization']
    allow_methods: ['GET','POST','PUT','PATCH','DELETE','OPTIONS']
    max_age: 3600
    allow_credentials: true

  paths:
    '^/api/':
      allow_origin: ['https://frontend.example.com']
      allow_headers: ['X-Custom-Auth']
Enter fullscreen mode Exit fullscreen mode

Define trusted origins via environment variables:

CORS_ALLOW_ORIGIN=https://frontend.example.com
Enter fullscreen mode Exit fullscreen mode

This setup ensures only defined, trusted clients can access your API—no wildcard suspense, no risk.

⚠️ The Dangers of * and Wildcard Behavior

SonarQube flags overly permissive CORS policies because they can lead to:

  • Credential leakage via reflected origins
  • Enabling attackers to read responses from authenticated sessions

Fix: strictly whitelist domains. In Symfony, avoid:

allow_origin: ['*']
Enter fullscreen mode Exit fullscreen mode

Instead:

allow_origin: ['https://trusted-site.com']
Enter fullscreen mode Exit fullscreen mode

🛠️ Real Symfony Code Fix for CORS

Insecure Version: 

# config/packages/nelmio_cors.yaml
nelmio_cors:
  defaults:
    allow_origin: ['*']
    allow_methods: ['GET','POST']
    allow_headers: ['Content-Type']
Enter fullscreen mode Exit fullscreen mode

Secure Fix: 

# config/packages/nelmio_cors.yaml
nelmio_cors:
  defaults:
    allow_origin: ['https://yourdomain.com']
    allow_methods: ['GET','POST','PUT','DELETE','OPTIONS']
    allow_headers: ['Content-Type','Authorization']
    allow_credentials: true
  paths:
    '^/':
      origin_regex: false
      allow_origin: ['https://yourdomain.com']
Enter fullscreen mode Exit fullscreen mode

👨‍💻 Testing with cURL / Axios

  • cURL preflight request: 
  curl -X OPTIONS https://api.yourdomain.com/resource \
    -H "Origin: https://example.com" \
    -H "Access-Control-Request-Method: POST" \
    -i
Enter fullscreen mode Exit fullscreen mode

Ensure response headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Credentials match expectations.

  • Axios example (client-side): 
  axios.post('/api/data', payload, {
    withCredentials: true
  }).then(res => console.log(res.data));
Enter fullscreen mode Exit fullscreen mode

Server must allow credentials and specify correct origin — or browser blocks the response.

🧰 Spot CORS Flaws with Free Scanner

Use our Website Vulnerability Scanner online free to detect misconfigurations like wildcard CORS, sensitive endpoints, exposed error details, and more.

Here’s a screenshot of the Website Vulnerability Scanner tool’s homepage:

Screenshot of the free tools webpage where you can access security assessment tools.Screenshot of the free tools webpage where you can access security assessment tools.

And here’s a sample PDF report generated by the tool to check Website Vulnerability:

An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Scan your Symfony or PHP-based site here:
🔗 https://free.pentesttesting.com/

🚀 Our Services to Help You

Need manual penetration testing or want to embed cybersecurity services into your offering? Check out:

📰 Stay Updated

Follow our blog for more security content:
🔗 https://www.pentesttesting.com/blog/

Subscribe on LinkedIn for cybersecurity updates:
🔗 Subscribe on LinkedIn

✅ Summary: Keep Your Symfony API Safe from CORS Issues

Anti‑Pattern Risk Mitigation
allow_origin: ['*'] Open to any domain Use whitelists
Reflecting Origin header Allows credential leaks Disable reflection
Missing preflight headers Browser blocks requests Define allow_methods, allow_headers, allow_credentials
No tool to detect CORS misconfigs Hidden vulnerabilities Use automated scanner

Audit your CORS settings regularly to stay ahead of evolving threats.

If you found this helpful, share it with your team or comment with your Symfony CORS experiences. Happy securing!

Top comments (0)