Python Cors Allow All Origins
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Django applications where all origins are allowed. When CORS is configured to allow all origins (*), it permits any website to make requests to your application, potentially enabling cross-site attacks and unauthorized data access.
Detection Strategy
• Checks if the django-cors-headers package is imported or used in the application
• Identifies if CORS_ALLOW_ALL_ORIGINS or CORS_ORIGIN_ALLOW_ALL setting is set to True in Django settings
• Reports a vulnerability when both conditions are met - the cors-headers package is present and all origins are allowed
Vulnerable code example
# settings.py
INSTALLED_APPS = [
"corsheaders",
]
MIDDLEWARE = [
"corsheaders.middleware.CorsMiddleware",
]...✅ Secure code example
# settings.py
INSTALLED_APPS = [
"corsheaders",
]
MIDDLEWARE = [
"corsheaders.middleware.CorsMiddleware",
"django.middleware.security.SecurityMiddleware", # Added security middleware...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.