Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge

Description:
A value over 30 minutes is considered prolonged and likely to reduce security
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Documentation

Spring sets the caching of a pre-flight request by default to 1800 seconds (30 minutes). Any value over 30 minutes is prolonged, and could increase security risks.

Before
registry.maxAge(3600);
After
registry.maxAge(1800);
References
Recipe
id: scw:spring:security:cors:CorsRegistry#maxAge
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge'
  shortDescription: A value over 30 minutes is considered prolonged and likely to reduce security
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/Avoidprolongedcaching.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  methodcall:
    args:
      1:
        type:
          checkInheritance: true
        value:
          integer:
            greaterThan: 1800
    name: maxAge
    type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Set to 30 minutes
  actions:
  - modifyArguments:
      rewrite:
        1: "1800"