Protocol: Access-Control-Allow-Origin Header¶
Identifier:
header_access_control_allow_origin
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
The Access-Control-Allow-Origin header tells the browser which websites are allowed to access resources on your server. When developers set it too looselyby using a wildcard (*) or forgetting it altogetherit can allow any site to make requests. This misconfiguration can let attackers access sensitive data or misuse authenticated sessions, increasing the risk of data leaks or unauthorized actions. The biggest pitfall is treating cross-origin resource sharing as an afterthought instead of a security concern, which opens up your application to potential exploitation.
References:
- https://owasp.org/www-community/Security_Headers
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Configuration¶
Example¶
Example configuration:
---
security_tests:
header_access_control_allow_origin:
assets_allowed:
- REST
- GRAPHQL
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.