File: nym-credential-proxy/nym-credential-proxy/src/http/router/mod.rs:39
Config: nym-credential-proxy/nym-credential-proxy/Cargo.toml:93
// mod.rs:37-43
cfg_if::cfg_if! {
if #[cfg(feature = "cors")] {
router.layer(tower_http::cors::CorsLayer::very_permissive()) // ← any origin +
credentials
} else {
route
}
}
# Cargo.toml:93
default = ["cors"] # ← cors feature ON by default
very_permissive() = allow_any_origin() + allow_credentials(true) + all methods/headers. The
credential proxy handles sensitive credential issuance, so this combination means any web
page can make credentialed cross-origin requests to it. This is a textbook
CSRF/credential-theft surface.
Fix: Either disable cors from the default feature set, or restrict to known origins:
CorsLayer::new()
.allow_origin("https://your-trusted-frontend.com".parse::().unwrap())
.allow_methods([Method::GET, Method::POST])
.allow_credentials(false)
File: nym-credential-proxy/nym-credential-proxy/src/http/router/mod.rs:39
Config: nym-credential-proxy/nym-credential-proxy/Cargo.toml:93
very_permissive() = allow_any_origin() + allow_credentials(true) + all methods/headers. The
credential proxy handles sensitive credential issuance, so this combination means any web
page can make credentialed cross-origin requests to it. This is a textbook
CSRF/credential-theft surface.
Fix: Either disable cors from the default feature set, or restrict to known origins:
CorsLayer::new()
.allow_origin("https://your-trusted-frontend.com".parse::().unwrap())
.allow_methods([Method::GET, Method::POST])
.allow_credentials(false)