Security Test: Access-Control-Allow-Origin Header¶
Description¶
Default Severity:
The Access-Control-Allow-Origin header tells the browser which websites are allowed to access resources on your server. When developers set it too loosely—by using a wildcard (*) or forgetting it altogether—it can allow any site to make requests. This misconfiguration can let attackers access sensitive data or misuse authenticated sessions, increasing the risk of data leaks or unauthorized actions. The biggest pitfall is treating cross-origin resource sharing as an afterthought instead of a security concern, which opens up your application to potential exploitation.
Reference:
Configuration¶
Identifier:
protocol/header_access_control_allow_origin
Examples¶
All configuration available:
Compliance and Standards¶
Standard | Value |
---|---|
OWASP API Top 10 | API7:2023 |
OWASP LLM Top 10 | LLM06:2023 |
PCI DSS | 6.5.10 |
GDPR | Article-32 |
SOC2 | CC1 |
PSD2 | Article-95 |
ISO 27001 | A.14.1 |
NIST | SP800-53 |
FedRAMP | AC-4 |
CWE | 346 |
CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS Score | 4.3 |