Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins

Description:
Allowing all origins makes the application vulnerable to scripts from any domain
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Documentation

Spring by default sets to allow all origins, however keep in mind that this means that the application's data can be accessed by JavaScript code coming from any domain.

Before
registry.allowedOrigins("*");
After
registry.allowedOrigins("https://domain.com");
References
Recipe
id: scw:spring:security:cors:CorsRegistry#allowedOrigins'
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins'
  shortDescription: Allowing all origins makes the application vulnerable to scripts from any domain
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCorsRegistryallowedOrigins.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  methodcall:
    args:
      1:
        value:
          stringified: '*'
    name: allowedOrigins
    type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Specify the allowedOrigins
  actions:
  - modifyArguments:
      rewrite:
        1: '"https://..."'