Anuj Varma, Hands-On Technology Architect, Clean Air Activist

Almost all CORS misconfiguration notifications are false positive. If you have checked "Access-Control-Allow-Origin: *", you will get these false positives. It needs to be set to "Access-Control-Allow-Credentials: true