Unsanitized user input in Access-Control-Allow-Origin

Overview

Rule ID: java_lang_insecure_allow_origin
Applicable Languages: Java
Weakness ID: CWE-346

Description

Setting the Access-Control-Allow-Origin header with unverified user-defined input can lead to unauthorized access to sensitive data. This vulnerability exposes your application to security risks, as attackers can specify origins that gain access to resources.

Remediation Guidelines

Avoid using user input to specify the Access-Control-Allow-Origin header without proper validation. This practice can unintentionally provide access to sensitive information.
If it's essential to use user input for defining origins, ensure thorough validation to confirm the input comes from a trusted source.
Implement a safelist approach when specifying origins. Limit access to your resources to only known and trusted domains.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in 'eval' type function NextUnsanitized user input in AWS query

Last updated 1 month ago