Description

The application has unsafe configurationsregarding the Cross-Origin-Resource-Policy header. This may be because, Header is missing from server responses. The header has not defined a restrictive resource policy. The header is configured with insecure or overly permissive values.

Impact

- Allow resources to be loaded by unauthorized cross-origin or cross-site contexts. - Increase exposure to attacks such as Cross-Site Script Inclusion, information leaks, hotlinking, or speculative side-channel attacks.

Recommendation

Set the Cross-Origin-Resource-Policy header in the server responses and configure it with a restrictive value, such as same-origin or same-site, according to the expected resource usage.

Threat

Unauthorized attacker from Internet.

Expected Remediation Time

⏱️ 3600 minutes.

Requirements

Fixes