Permissive Access-Control-Allow-Origin configuration

Overview

• Rule ID: java_lang_permissive_allow_origin

• Applicable Languages: Java

• Weakness ID: CWE-942

Description

A liberal Access-Control-Allow-Origin configuration can pose security risks to your application. Setting this header to "*" allows any website to access your application's responses, potentially resulting in unauthorized access to sensitive information.

Remediation Guidelines

• Avoid setting the Access-Control-Allow-Origin header to "*". This excessively permissive configuration can expose your application to potential attacks.

  Copy

  response.addHeader("access-control-allow-origin", "*"); // unsafe
  

• Limit the Access-Control-Allow-Origin header to permit only specific, trusted origins that require access to your application. This approach reduces the likelihood of exposing sensitive data.

  Copy

  response.addHeader("access-control-allow-origin", "myapp.example.com");
    

References

• OWASP Origin & Access-Control-Allow-Origin

• CWE-942: Permissive Cross-domain Policy with Untrusted Domains

• OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL