Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials :: Recipe Details

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials

Description:

Allowing credentials makes the application more vulnerable

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

Avoid setting allowCredentials to true when configuring @CrossOrigin, as it could make the application more vulnerable to attacks.

Before

@CrossOrigin(allowCredentials = "true")

After

@CrossOrigin(allowCredentials = "false")

References

Fortify Taxonomy - HTML5: CORS functionality abuse

Recipe

id: scw:spring:security:cors:CrossOrigin-allowCredentials
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials'
  shortDescription: Allowing credentials makes the application more vulnerable
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-allowCredentials.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: allowCredentials
    value:
      value:
        stringified: "true"
availableFixes:
- name: Set allowCredentials to false
  actions:
  - rewrite:
      to: allowCredentials = "false"