Insecure or unset HTTP headers - CORS
Description
The cross-domain policy includes wildcards, accepting any domain as valid for sharing resources.
Impact
Include resources from untrusted origins.
Recommendation
Remove the wildcard (*) and define explicitly the trusted origins for the application resources.
Threat
Unauthorized attacker from the Internet.
Expected Remediation Time
⏱️ 30 minutes.
Requirements
062 - Define standard configurations266 - Disable insecure functionalities349 - Include HTTP security headersRules
Api Permissive Cors PolicyHttp Cors Wildcard OriginScala Cors Wildcard Origin HeaderJava Cors Allow All OriginsTypescript Cors Wildcard Origin Header LambdaRuby Cors Wildcard OriginXml Cors Wildcard Origin ConfigJson Yaml Cors Wildcard Origin Api GatewayJavascript Cors Wildcard Origin HeaderC Sharp Cors Wildcard Origin Http RequestJavascript Cors Wildcard Origin Header LambdaC Sharp Allow Any Origin CorsSwift Cors Wildcard Origin ConfigJson Yaml Cors Wildcard Origin ConfigJson Yaml Cors Wildcard Origin Or HeadersTypescript Cors Wildcard Origin Header ExpressJava Universal Access From File UrlsTypescript Cors Wildcard Origin With CredentialsDart Cors Wildcard OriginGo Cors Wildcard OriginScala Header Insecure Cors ConfigurationKotlin Insecure Cors Origin ServletPython Django Uncontrolled Cors OriginPython Wsgiref Uncontrolled Cors OriginC Sharp Cors Wildcard Origin AspnetTerraform Cors Wildcard Origin Or HeadersJavascript Cors Wildcard OriginGo Cors Wildcard With CredentialsPython Cors Allow Any OriginJava Cors Wildcard OriginScala Cors Wildcard Origin ConfigJson Yaml Cors Wildcard OriginKotlin Insecure Cors OriginPython Flask Uncontrolled Cors OriginPython Cors Allow All OriginsPhp Cors Wildcard Origin LaravelJava Cors Allow Origin WildcardPhp Cors Wildcard OriginPython Cors Wildcard OriginPython Http Uncontrolled Cors OriginJavascript Cors Wildcard Origin With CredentialsJavascript Cors Allow Any OriginTypescript Cors Allow Any OriginC Sharp Cors Wildcard Origin Aspnet CorePython Cors Allow All Origins FastapiTypescript Cors Wildcard OriginJson Yaml Cors Unrestricted Origin In Policy