cors

The same-origin policy is not protecting your API

A permissive CORS header delegates the read decision to the requester, letting attacker script read authenticated responses through the victim's own browser.