Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - maxAge

Description:

A value over 30 minutes is considered prolonged and likely to reduce security

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

Spring sets the caching of a pre-flight request by default to 1800 seconds (30 minutes). Any value over 30 minutes is prolonged, and could increase security risks.

Before

@CrossOrigin(maxAge = 3600)

After

@CrossOrigin(maxAge = 1800)

References

Fortify Taxonomy - HTML5: CORS Prolonged Caching of Preflight Response

Recipe

id: scw:spring:security:cors:CrossOrigin-maxAge
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - maxAge'
  shortDescription: A value over 30 minutes is considered prolonged and likely to reduce security
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-maxAge.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: maxAge
    value:
      value:
        integer:
          greaterThan: 1800
availableFixes:
- name: Set to 30 minutes
  actions:
  - rewrite:
      to: maxAge = 1800