Description
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to allow a web application running at one origin to access selected resources from a different origin. However, allowing CORS without specific need can lead to the disclosure of sensitive information to foreign origins.
Recommendation
Consider removing the Access-Control-Allow-Origin header altogether or restrict it to specific origins as needed to minimize the risk of sensitive data exposure.
References
Related Issues
- X-XSS-Protection Header is Set - Vulnerability
- X-XSS-Protection Header is Missing - Vulnerability
- X-Powered-By Header Found - Vulnerability
- X-Frame-Options Header is Missing - Vulnerability
You might also like:
- Tags:
- HTTP Headers
- CORS
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024


