Security Test: Access-Control-Allow-Origin Header¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

The Access-Control-Allow-Origin header tells the browser which websites are allowed to access resources on your server. When developers set it too loosely—by using a wildcard (*) or forgetting it altogether—it can allow any site to make requests. This misconfiguration can let attackers access sensitive data or misuse authenticated sessions, increasing the risk of data leaks or unauthorized actions. The biggest pitfall is treating cross-origin resource sharing as an afterthought instead of a security concern, which opens up your application to potential exploitation.

Reference:

https://owasp.org/www-community/Security_Headers
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Identifier: protocol/header_access_control_allow_origin

Examples¶

All configuration available:

checks:
  protocol/header_access_control_allow_origin:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.1`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`346`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`