Cross-Origin Resource Sharing Allowed
Impact: Informational
Description
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. Mozilla Cross-origin resource sharing should not be allowed unless specifically needed to minimize disclosure of sensitive information to foreign origins.
Recommendation
Consider removing the Access-Control-Allow-Origin
header or use specific origins as value.
References
👉 You might also like:
Content Character Encoding is not Defined - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Cookie without SameSite Flag - Vulnerability
Last updated on February 15, 2021