Unsanitized user input in Access-Control-Allow-Origin

Overview

• Rule ID: javascript_express_insecure_allow_origin

• Applicable Languages: Javascript

• Weakness ID: CWE-346

Description

Using unverified user-defined input to set the Access-Control-Allow-Origin header can result in unauthorized access to sensitive data. This vulnerability exposes your application to potential security risks by allowing attackers to specify origins that can access resources.

Remediation Guidelines

• Do not define the Access-Control-Allow-Origin header with user input. This practice can compromise the security of your application by allowing data access to unintended users.

• Do verify user input if it is absolutely necessary to use it for defining origins. Ensure that the verification process is robust to prevent security breaches.

• Do use a safelist approach when specifying origins. This uses a predefined list of trusted origins and only allows requests from those origins.

References

• OWASP Origin & Access-Control-Allow-Origin

• CWE-346: Origin Validation Error

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL