Insecure CORS Configuration
Description
The Access-Control-Allow-Origin response header is set to '*', which disables CORS Same Origin Policy restrictions and allows any origin to access the resource.
Examples
Insecure Code
javascript
app.use(cors());
res.header('Access-Control-Allow-Origin', '*');Secure Code
javascript
app.use(cors({ origin: 'https://example.com' }));
res.header('Access-Control-Allow-Origin', 'https://example.com');Remediation
Set the Access-Control-Allow-Origin header to a specific domain or a list of trusted domains to enable CORS Same Origin Policy restrictions.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0395 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-346 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | CORS, Security Misconfiguration |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |