Recipe Name:
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins
Description:
Allowing all origins makes the application vulnerable to scripts from any domain
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Documentation

Spring by default sets to allow all origins, however keep in mind that this means that the application's data can be accessed by JavaScript code coming from any domain.

Before
@CrossOrigin(origins = "*")
After
@CrossOrigin(origins = "https://domain.com")
References
Recipe
id: scw:spring:security:cors:CrossOrigin-origins
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins'
  shortDescription: Allowing all origins makes the application vulnerable to scripts from any domain
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-origins.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: origins
    value:
      value:
        stringified: '*'
availableFixes:
- name: Specify the origins
  actions: []