ProductsBook A DemoContact Us

Unsanitized user input in Access-Control-Allow-Origin

Overview

  • Rule ID: java_lang_insecure_allow_origin

  • Applicable Languages: Java

  • Weakness ID: CWE-346

Description

Setting the Access-Control-Allow-Origin header with unverified user-defined input can lead to unauthorized access to sensitive data. This vulnerability exposes your application to security risks, as attackers can specify origins that gain access to resources.

Remediation Guidelines

  • Avoid using user input to specify the Access-Control-Allow-Origin header without proper validation. This practice can unintentionally provide access to sensitive information.

  • If it's essential to use user input for defining origins, ensure thorough validation to confirm the input comes from a trusted source.

  • Implement a safelist approach when specifying origins. Limit access to your resources to only known and trusted domains.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in 'eval' type functionNextUnsanitized user input in AWS query

Last updated