Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials :: Recipe Details

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials

Description:

Allowing credentials makes the application more vulnerable

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

Spring by default sets allowCredentials() to false, as it makes the application more vulnerable. Be cautious when setting CORS configurations.

Before

registry.allowCredentials(true);

After

registry.allowCredentials(false);

References

Fortify Taxonomy - HTML5: CORS functionality abuse

Recipe

id: scw:spring:security:cors:CorsRegistry#allowCredentials
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials'
  shortDescription: Allowing credentials makes the application more vulnerable
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCorsRegistryallowCredentials.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  methodcall:
    args:
      1:
        value:
          stringified: "true"
    name: allowCredentials
    type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Set to disallow credentials
  actions:
  - modifyArguments:
      rewrite:
        1: "false"