
Featured article
CORS Doesn't Apply to WebSockets — and Your AI Agent Might Be Vulnerable
WebSockets bypass the Same-Origin Policy entirely. If your realtime AI agent authenticates via cookies without validating the Origin header, any page can hijack the session. There's a CWE for it — and we didn't know about it either.


















