Description
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to allow a web application running at one origin to access selected resources from a different origin. However, allowing CORS without specific need can lead to the disclosure of sensitive information to foreign origins.
Recommendation
Consider removing the Access-Control-Allow-Origin header altogether or restrict it to specific origins as needed to minimize the risk of sensitive data exposure.
References
Related Issues
- ASP.NET Version Disclosure - Vulnerability
- Content Character Encoding is not Defined - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- Cookie Accessible for Subdomains - Vulnerability
- Tags:
- HTTP Headers
- CORS
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024