Recipe Name:
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders
Description:
Exposing all headers makes the application vulnerable
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
Documentation
Be cautious when using a wildcard ("*") while configuring @CrossOrigin. Allowing CORS, in particular with overly permissive settings, can make the application vulnerable to attacks.
@CrossOrigin(exposedHeaders = "*")After
@CrossOrigin(exposedHeaders = "header1")References
Recipe
id: scw:spring:security:cors:CrossOrigin-exposedHeaders
version: 10
metadata:
name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders'
shortDescription: Exposing all headers makes the application vulnerable
level: warning
language: java
enabled: true
descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-exposedHeaders.html
tags: Spring;security;framework specific;web;Spring Security
search:
annotationParameter:
owner:
type: org.springframework.web.bind.annotation.CrossOrigin
name: exposedHeaders
value:
anyOf:
- value:
stringified: '*'
- value:
stringified: '{"*"}'
availableFixes:
- name: Specify the exposedHeaders
actions: []