Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - methods

Description:

Allowing unsafe methods puts the application at risk

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

By using the wildcard "*", or by configuring @CrossOrigin to use unsafe methods, such as PUT or DELETE, the application could become the target of code injection and/or other attacks. Spring by default only allows GET, HEAD, and POST methods.

Before

@CrossOrigin(methods = "*")

After

@CrossOrigin(methods = {RequestMethod.GET, RequestMethod.POST})

References

Fortify Taxonomy - HTML5: CORS Unsafe Methods Allowed

Recipe

id: scw:spring:security:cors:CrossOrigin-methods
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - methods'
  shortDescription: Allowing unsafe methods puts the application at risk
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-methods.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: methods
    value:
      anyOf:
      - value:
          stringified:
            contains: RequestMethod.DELETE
            caseSensitive: false
      - value:
          stringified:
            contains: RequestMethod.PUT
      - value:
          stringified: '*'
availableFixes:
- name: Configure the annotation to allow safe methods
  actions: []