Skip to content
unfault

rust.axum.missing_cors

Correctness Medium

Detects Axum router without CORS layer configuration.

Why It Matters

Section titled “Why It Matters”

Without CORS configuration:

  • Browser requests blocked — Cross-origin requests fail
  • Frontend broken — Web apps can’t call your API
  • Confusing errors — Works in Postman but fails in browsers

If your API serves web clients from different origins, you need CORS.

Example

Section titled “Example”
// ❌ Before
use axum::{routing::get, Router};


let app = Router::new()
    .route("/api/users", get(get_users));
// ✅ After
use axum::{routing::get, Router};
use tower_http::cors::{CorsLayer, Any};


let cors = CorsLayer::new()
    .allow_origin(Any)
    .allow_methods(Any)
    .allow_headers(Any);


let app = Router::new()
    .route("/api/users", get(get_users))
    .layer(cors);

What Unfault Detects

Section titled “What Unfault Detects”
  • Axum Router without CorsLayer
  • Permissive CORS with credentials (security risk)

Auto-Fix

Section titled “Auto-Fix”

Unfault adds basic CORS configuration. Restrict for production.

Production Configuration

Section titled “Production Configuration”
use tower_http::cors::{CorsLayer, AllowOrigin};
use http::{header, Method};


let cors = CorsLayer::new()
    .allow_origin(AllowOrigin::list([
        "https://myapp.com".parse().unwrap(),
        "https://staging.myapp.com".parse().unwrap(),
    ]))
    .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE])
    .allow_headers([header::AUTHORIZATION, header::CONTENT_TYPE])
    .allow_credentials(true);
Section titled “Related Rules”