# Permissive Access-Control-Allow-Origin configuration

## Overview

* **Rule ID**: `java_lang_permissive_allow_origin`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-942

## Description

A liberal Access-Control-Allow-Origin configuration can pose security risks to your application. Setting this header to "\*" allows any website to access your application's responses, potentially resulting in unauthorized access to sensitive information.

## Remediation Guidelines

* **Avoid** setting the Access-Control-Allow-Origin header to "\*". This excessively permissive configuration can expose your application to potential attacks.

  ```java
  response.addHeader("access-control-allow-origin", "*"); // unsafe

  ```
* **Limit the Access-Control-Allow-Origin header** to permit only specific, trusted origins that require access to your application. This approach reduces the likelihood of exposing sensitive data.

  ```java
  response.addHeader("access-control-allow-origin", "myapp.example.com");
    
  ```

## References

* [**OWASP Origin & Access-Control-Allow-Origin**](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
* [**CWE-942: Permissive Cross-domain Policy with Untrusted Domains**](https://cwe.mitre.org/data/definitions/942.html)
* [**OWASP Top 10: A05:2021 - Security Misconfiguration**](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)