Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials

Description:
Allowing credentials makes the application more vulnerable
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Documentation

Avoid setting allowCredentials to true when configuring @CrossOrigin, as it could make the application more vulnerable to attacks.

Before
@CrossOrigin(allowCredentials = "true")
After
@CrossOrigin(allowCredentials = "false")
References
Recipe
id: scw:spring:security:cors:CrossOrigin-allowCredentials
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials'
  shortDescription: Allowing credentials makes the application more vulnerable
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-allowCredentials.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: allowCredentials
    value:
      value:
        stringified: "true"
availableFixes:
- name: Set allowCredentials to false
  actions:
  - rewrite:
      to: allowCredentials = "false"