Recipe Name:
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin
Description:
Avoid enabling CORS, or configure it as strictly as possible
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
Documentation
Allowing CORS in your application exposes it to vulnerabilities. If enabling CORS cannot be avoided, make sure it's configured as strictly as possible.
Before@CrossOriginAfter
@CrossOrigin(origins = "origin1", methods = {RequestMethod.GET}, exposedHeaders = {"header1"}, allowedHeaders = {"header1"}, allowCredentials = "false", maxAge = 1800)
References
Recipe
id: scw:spring:security:cors:CrossOrigin-broad
version: 10
metadata:
name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin'
shortDescription: Avoid enabling CORS, or configure it as strictly as possible
level: warning
language: java
enabled: true
descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin.html
tags: Spring;security;framework specific;web;Spring Security
search:
annotation:
type: org.springframework.web.bind.annotation.CrossOrigin
without:
anyOf:
- parameters:
- name: method
- parameters:
- name: origins
- parameters:
- name: exposedHeaders
- parameters:
- name: allowedHeaders
- parameters:
- name: allowCredentials
- parameters:
- name: maxAge
availableFixes:
- name: Configure @CrossOrigin as strictly as possible
actions: []