Insecure CORS Policy in Apollo GraphQL Server
Description
The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws. This could allow malicious scripts to make unauthorized requests on behalf of the user.
Examples
Insecure Code
js
new ApolloServer({ cors: true })Secure Code
js
new ApolloServer({ cors: { origin: 'https://example.com' } })Remediation
Update the CORS policy to only allow specific, trusted domains. Refer to the Apollo GraphQL documentation for configuring CORS options: https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0277 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-942 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | cors, apollo-graphql |
| OWASP | N/A |