Origin Header Cors Misconfiguration
This vulnerability occurs when the application uses the request Origin header to set up the Access-Control-Allow-Origin response header.
This issue may enable some types of client-side exploits targeting authenticated users by leveraging vulnerabilities, such as XSS (Cross-site Scripting) or session hijacking.
Ensure that the Origin header is not considered to set up CORS.
If CORS is not required, then it is advisable to turn it off. It is essential to ensure that the Access-Control-Allow-Origin header is correctly used only on safe resources that will not expose any data from the currently logged users.
This finding may be an intended application feature.
- Specifically designed for medium and large Enterprises
- All Tools, Services, and Plans
- Single Sign-On Integration, Single Tenant
- Dedicated Support, Custom Integrations
- Annual or Monthly, Fixed-cost Billing