Origin validation error

Description

Access-Control-Allow-Origin response header is set to *. This will disable CORS Same Origin Policy restrictions.

javascript

app.options('*', cors())

javascript

app.options('https://example.com', cors())

Set the Access-Control-Allow-Origin response header to a specific domain or a list of trusted domains instead of *.

Field	Value
ID	CODE-0396
Category	Web
Severity	MEDIUM
CWE	CWE-346
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	EASY
Tags	CORS, Security Misconfiguration
OWASP	A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration