Cross-Origin Resource Sharing Allowed

Impact: Informational

Description

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to allow a web application running at one origin to access selected resources from a different origin. However, allowing CORS without specific need can lead to the disclosure of sensitive information to foreign origins.

Recommendation

Consider removing the Access-Control-Allow-Origin header altogether or restrict it to specific origins as needed to minimize the risk of sensitive data exposure.

References

CWE-16
CWE-942
Mozilla: Cross-Origin Resource Sharing (CORS)
Mozilla: Web Security
OWASP 2021-A5

👉 You might also like:

ASP.NET Version Disclosure - Vulnerability

Content Character Encoding is not Defined - Vulnerability

Content-Security-Policy Header is Missing - Vulnerability

Cookie Accessible for Subdomains - Vulnerability

Last updated on May 13, 2024

Cross-Origin Resource Sharing Allowed

Description

Recommendation

References

Use SmartScanner Free version to test for this issue