Skill Being Reviewed
Skill name: �pi-security
Skill path: skills/appsec/api-security/
False Positive Analysis
Benign CORS configuration that should not be over-flagged:
`http
Origin: https://app.example.com
Access-Control-Request-Method: GET
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET
Vary: Origin
`
Why this is a false positive:
A dynamic CORS response is not automatically unsafe when the server matches the request origin against an exact allowlist, returns Vary: Origin, and limits methods/headers per endpoint. The current API8 guidance says to use an explicit allowlist, but it does not ask reviewers to distinguish exact allowlist reflection from arbitrary origin reflection.
Coverage Gaps
Missed variant 1: Origin: null accepted for credentialed APIs
`http
Origin: null
Cookie: session=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
`
Why it should be caught:
ull origins can come from sandboxed documents or non-hierarchical schemes such as �ile: and data:. Treating
ull as a trusted origin can expose credentialed API responses to hostile documents.
Missed variant 2: Private Network Access preflight allowed without a trusted-origin gate
`http
Origin: https://attacker.example
Access-Control-Request-Method: POST
Access-Control-Request-Private-Network: true
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://attacker.example
Access-Control-Allow-Credentials: true
Access-Control-Allow-Private-Network: true
`
Why it should be caught:
Private Network Access preflights are a signal that a public origin is trying to reach a less-public/private network resource. Reviewers should require explicit evidence that only trusted origins can receive Access-Control-Allow-Private-Network: true.
Edge Cases
- Public, unauthenticated APIs can allow broad read-only CORS without the same severity as credentialed APIs.
- Local development origins may be allowed in non-production, but production evidence should show they are disabled or environment-scoped.
- Exact dynamic allowlists are acceptable when they include Vary: Origin; arbitrary origin reflection is not.
- PNA handling may be irrelevant for purely public APIs with no private-network resources; mark it Not Applicable with rationale.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Browser CORS enforcement |
Partial |
Blocks some invalid combinations, but server review still needs to catch unsafe allow decisions. |
| DAST scanners |
Partial |
Can test origin reflection and |
| ull origin, but often miss environment-specific allowlists and PNA intent. |
|
|
| Manual API review |
Yes |
Can inspect allowlist logic, cache headers, and private-resource preflight policy. |
Sources Checked
Bounty Info
Skill Being Reviewed
Skill name: �pi-security
Skill path: skills/appsec/api-security/
False Positive Analysis
Benign CORS configuration that should not be over-flagged:
`http
Origin: https://app.example.com
Access-Control-Request-Method: GET
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET
Vary: Origin
`
Why this is a false positive:
A dynamic CORS response is not automatically unsafe when the server matches the request origin against an exact allowlist, returns Vary: Origin, and limits methods/headers per endpoint. The current API8 guidance says to use an explicit allowlist, but it does not ask reviewers to distinguish exact allowlist reflection from arbitrary origin reflection.
Coverage Gaps
Missed variant 1: Origin: null accepted for credentialed APIs
`http
Origin: null
Cookie: session=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
`
Why it should be caught:
ull origins can come from sandboxed documents or non-hierarchical schemes such as ile: and data:. Treating
ull as a trusted origin can expose credentialed API responses to hostile documents.
Missed variant 2: Private Network Access preflight allowed without a trusted-origin gate
`http
Origin: https://attacker.example
Access-Control-Request-Method: POST
Access-Control-Request-Private-Network: true
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://attacker.example
Access-Control-Allow-Credentials: true
Access-Control-Allow-Private-Network: true
`
Why it should be caught:
Private Network Access preflights are a signal that a public origin is trying to reach a less-public/private network resource. Reviewers should require explicit evidence that only trusted origins can receive Access-Control-Allow-Private-Network: true.
Edge Cases
Remediation Quality
ull/opaque origin rejection, Vary: Origin, per-endpoint preflight methods/headers, and Private Network Access review.
Comparison to Other Tools
Sources Checked
Bounty Info