Cross-Origin Resource Sharing Allowed

Impact: Informational

Description

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. ^Mozilla Cross-origin resource sharing should not be allowed unless specifically needed to minimize disclosure of sensitive information to foreign origins.

Recommendation

Consider removing the Access-Control-Allow-Origin header or use specific origins as value.

References

Mozilla: Cross-Origin Resource Sharing (CORS)
Mozilla: Web Security

👉 You might also like:

Cross-Origin Resource Sharing Allowed

Description

Recommendation

References

Content Character Encoding is not Defined - Vulnerability

Content-Security-Policy Header is Missing - Vulnerability

Cookie without HttpOnly Flag - Vulnerability

Cookie without SameSite Flag - Vulnerability

Use SmartScanner Free version to test for this issue