Insecure CORS policy Medium

The same-origin policy prevents Web application front-ends from loading resources that come from a different domain, protocol, or Cross-Origin Resource Sharing (CORS) policies can be used to relax this restriction. CORS policies that are too permissive may lead to loading content from untrusted or malicious sources.

Detector ID
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void allowOriginNoncompliant(HttpServletResponse response) {
2    // Noncompliant: the Access-Control-Allow-Origin is set to allow any domain.
3    response.setHeader("Access-Control-Allow-Origin", "*");

Compliant example

1public void allowOriginCompliant(HttpServletResponse response) {
2    // Compliant: the Access-Control-Allow-Origin is set to allow only a specific list of trusted domains.
3    response.setHeader("Access-Control-Allow-Origin", "");