Route level CORS config overrides connection level defaults

Module: hapi

Published: December 28th, 2015

Reported by: Eran Hammer



Vulnerable: <11.1.4
Patched: >=11.1.4


When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).


You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo