Recipe Name:
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge
Description:
A value over 30 minutes is considered prolonged and likely to reduce security
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
Documentation
Spring sets the caching of a pre-flight request by default to 1800 seconds (30 minutes). Any value over 30 minutes is prolonged, and could increase security risks.
Beforeregistry.maxAge(3600);After
registry.maxAge(1800);References
Recipe
id: scw:spring:security:cors:CorsRegistry#maxAge
version: 10
metadata:
name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge'
shortDescription: A value over 30 minutes is considered prolonged and likely to reduce security
level: warning
language: java
enabled: true
descriptionFile: descriptions/Avoidprolongedcaching.html
tags: Spring;security;framework specific;web;Spring Security
search:
methodcall:
args:
1:
type:
checkInheritance: true
value:
integer:
greaterThan: 1800
name: maxAge
type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Set to 30 minutes
actions:
- modifyArguments:
rewrite:
1: "1800"