Terraform Cors Wildcard Origin Or Headers
Description
Unable to analyze detection strategy without provided implementation. Additional code details needed to document the security vulnerability and detection approach.
Detection Strategy
• Please provide the method implementation, code patterns, and test examples to document:
• - The specific security vulnerability being detected
• - Conditions that trigger detection
• - Example vulnerable patterns
• - Implementation approach
Vulnerable code example
resource "aws_s3_bucket_cors_configuration" "example" {
bucket = aws_s3_bucket.example.id
cors_rule {
allowed_headers = ["*"] # Insecure: Allows all headers from any origin
allowed_methods = ["GET", "PUT", "POST", "DELETE"]
allowed_origins = ["*"] # Vulnerable: Allows requests from ANY origin
expose_headers = ["ETag"]...✅ Secure code example
resource "aws_s3_bucket_cors_configuration" "example" {
bucket = aws_s3_bucket.example.id
cors_rule {
allowed_headers = ["Authorization", "Content-Type"] # Only allow necessary headers
allowed_methods = ["PUT", "POST"] # Separate write operations
allowed_origins = ["https://example.com"] # Restrict to specific domain
expose_headers = ["ETag"]...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.