Cross-Origin Resource Sharing (CORS) controls which websites can call your school's APIs. A misconfigured CORS policy can let any website on the internet read your student data or trigger admin actions.
Browsers enforce a security rule called the Same-Origin Policy: JavaScript on one website cannot read responses from a different website's server. This prevents malicious-site.com from using a visitor's browser to silently read data from yourschool.edu.ph.
Cross-Origin Resource Sharing (CORS) is a mechanism that lets servers selectively relax this rule — telling browsers "it's okay for JavaScript from these specific trusted origins to read my responses."
It works through HTTP headers:
Access-Control-Allow-Origin: https://partner.edu.ph Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
This combination is actually blocked by browsers — but many developers work around it by dynamically reflecting the requester's origin:
// Dangerous pattern seen in many school CMS backends:
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
header("Access-Control-Allow-Credentials: true");This effectively trusts every origin on the internet. Any website can make requests to your API and read the responses — including authenticated responses carrying student data.
Access-Control-Allow-Origin: *
For public, unauthenticated APIs, this is fine. But if your API returns anything sensitive — even aggregate stats — a wildcard exposes it to any JavaScript anywhere.
Access-Control-Allow-Origin: null
The null origin is sent by sandboxed iframes and local files. Trusting it is effectively the same as a wildcard in many attack scenarios.
An attacker creates a webpage that students or staff are tricked into visiting (e.g., via phishing). That page's JavaScript silently:
The victim sees nothing. The data — student records, grades, contact information — is gone.
Send a request to your API with a custom Origin header:
curl -H "Origin: https://evil.com" -I https://yourschool.edu.ph/api/students
If the response includes:
Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials: true
Your API is misconfigured.
$allowed = ['https://yourschool.edu.ph', 'https://portal.yourschool.edu.ph'];
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowed)) {
header("Access-Control-Allow-Origin: $origin");
header("Access-Control-Allow-Credentials: true");
}set $cors_origin "";
if ($http_origin ~* "^https://(yourschool\.edu\.ph|portal\.yourschool\.edu\.ph)$") {
set $cors_origin $http_origin;
}
add_header Access-Control-Allow-Origin $cors_origin always;A wildcard is acceptable only when:
Access-Control-Allow-Origin: *
Interactive CORS Demo: Enter a school API domain and watch an attacker page silently fetch and read student records when CORS is set to
*. Switch to the protected mode to see the browser block the read with a CORS error.
The Site Scanner inspects your school site's CORS headers and flags overly permissive configurations.