Missing CORS Policy in Apollo GraphQL Server

Description

The Apollo GraphQL server lacks a CORS policy. By default, the batteries-included apollo-server package serves the Access-Control-Allow-Origin HTTP header with the wildcard value (*).

Examples

Insecure Code

new ApolloServer({})

Secure Code

new ApolloServer({ cors: { origin: '*' } })

Remediation

Add a CORS policy to the Apollo GraphQL server by including the 'cors' option when creating a new ApolloServer instance, e.g., 'new ApolloServer({ cors: { origin: '*' } })'.

Rule Details

Field	Value
ID	CODE-0276
Category	Web
Severity	MEDIUM
CWE	CWE-942
Confidence	HIGH
Impact	LOW
Likelihood	LOW
Exploitability	MODERATE
Tags	cors, apollo-server
OWASP	N/A

References

https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Missing CORS Policy in Apollo GraphQL Server

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Missing CORS Policy in Apollo GraphQL Server ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Missing CORS Policy in Apollo GraphQL Server

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References