Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins

Description:

Allowing all origins makes the application vulnerable to scripts from any domain

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

Spring by default sets to allow all origins, however keep in mind that this means that the application's data can be accessed by JavaScript code coming from any domain.

Before

@CrossOrigin(origins = "*")

After

@CrossOrigin(origins = "https://domain.com")

References

Fortify Taxonomy - HTML5: CORS functionality abuse

Recipe

id: scw:spring:security:cors:CrossOrigin-origins
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins'
  shortDescription: Allowing all origins makes the application vulnerable to scripts from any domain
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCrossOrigin-origins.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  annotationParameter:
    owner:
      type: org.springframework.web.bind.annotation.CrossOrigin
    name: origins
    value:
      value:
        stringified: '*'
availableFixes:
- name: Specify the origins
  actions: []