---
title: Permissive CORS configuration allows any origin
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Permissive CORS configuration allows any origin
---

# Permissive CORS configuration allows any origin

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/permissive-cors`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [346](https://cwe.mitre.org/data/definitions/346.html)

**Related CWEs**:

- [940](https://cwe.mitre.org/data/definitions/940.html)

## Description{% #description %}

Permissive CORS configurations allow any origin to read responses from the server, exposing authenticated endpoints to cross-origin attacks such as data theft and CSRF amplification. In Rust this most often appears as `tower_http::cors::CorsLayer::permissive()`, `CorsLayer::very_permissive()`, `.allow_origin(Any)`, or actix-cors's `Cors::permissive()` / `.allow_any_origin()`. Replace with an explicit allow-list of origins, or gate permissive setups behind `cfg(debug_assertions)` for local development only.

#### Learn More{% #learn-more %}

- [CWE-346: Origin Validation Error](https://cwe.mitre.org/data/definitions/346.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use tower_http::cors::{CorsLayer, Any};
use actix_cors::Cors;

fn tower_permissive() {
    let _ = CorsLayer::permissive();
}

fn tower_very_permissive() {
    let _ = CorsLayer::very_permissive();
}

fn tower_qualified() {
    let _ = tower_http::cors::CorsLayer::permissive();
}

fn tower_allow_any() {
    let _ = CorsLayer::new().allow_origin(Any);
}

fn tower_allow_any_qualified() {
    let _ = CorsLayer::new().allow_origin(tower_http::cors::Any);
}

fn actix_permissive() {
    let _ = Cors::permissive();
}

fn actix_allow_any_origin() {
    let _ = Cors::default().allow_any_origin();
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use tower_http::cors::{CorsLayer, Any};
use http::HeaderValue;

fn ok() {
    // Explicit allow-list
    let origin: HeaderValue = "https://example.com".parse().unwrap();
    let _ = CorsLayer::new().allow_origin(origin);

    // Default restrictive layer
    let _ = CorsLayer::new();

    // Allowing all methods or headers is not flagged — only origin is the security boundary
    let _ = CorsLayer::new().allow_methods(Any).allow_headers(Any);
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}