Skip to content

Security Test: Access-Control-Allow-Origin Header

Description

Default Severity:

The Access-Control-Allow-Origin header tells the browser which websites are allowed to access resources on your server. When developers set it too loosely—by using a wildcard (*) or forgetting it altogether—it can allow any site to make requests. This misconfiguration can let attackers access sensitive data or misuse authenticated sessions, increasing the risk of data leaks or unauthorized actions. The biggest pitfall is treating cross-origin resource sharing as an afterthought instead of a security concern, which opens up your application to potential exploitation.

Reference:

Configuration

Identifier: protocol/header_access_control_allow_origin

Examples

All configuration available:

checks:
  protocol/header_access_control_allow_origin:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API7:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.10
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.1
NIST SP800-53
FedRAMP AC-4
CWE 346
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score 4.3