Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin

Description:
Avoid enabling CORS, or configure it as strictly as possible
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Documentation

Allowing CORS in your application exposes it to vulnerabilities. If enabling CORS cannot be avoided, make sure it's configured as strictly as possible.

Before
@CrossOrigin
After
@CrossOrigin(origins = "origin1", methods = {RequestMethod.GET}, exposedHeaders = {"header1"}, allowedHeaders = {"header1"}, allowCredentials = "false", maxAge = 1800)
References
Recipe
id: scw:spring:security:cors:CrossOrigin-broad
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin'
  shortDescription: Avoid enabling CORS, or configure it as strictly as possible
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotation:
    type: org.springframework.web.bind.annotation.CrossOrigin
    without:
      anyOf:
      - parameters:
        - name: method
      - parameters:
        - name: origins
      - parameters:
        - name: exposedHeaders
      - parameters:
        - name: allowedHeaders
      - parameters:
        - name: allowCredentials
      - parameters:
        - name: maxAge
availableFixes:
- name: Configure @CrossOrigin as strictly as possible
  actions: []