Skip to content

CORS

Description

Attackers can exploit CORS (Cross-Origin Resource Sharing) misconfigurations on the web server to perform CSRF (Cross-Site Request Forgery) attacks and send unauthorized commands from an authenticated user session.

Remediation

Configure the Access-Control-Allow-Origin HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

If your API is public and used in websites you don't control yourself, you want to allow any request origin and you can safely ignore this alert.

See: enable-cors.org.

GraphQL Specific

Apollo To remediate CORS issues in the Apollo framework, ensure that the Apollo Server is configured to accept requests from trusted origins. This can be achieved by using the `cors` option in the Apollo Server constructor, where you can specify an array of allowed origins or set it to `true` to allow requests from any origin. It's important to restrict the origins to those that you trust to prevent security vulnerabilities. Additionally, consider using a package like `apollo-server-express` alongside `cors` middleware for more granular control over the CORS policy.
Yoga To remediate CORS issues in the Yoga framework engine, ensure that the server is configured to set the appropriate 'Access-Control-Allow-Origin' header. This header should be set to the domains that are allowed to access the resources or use a wildcard '\*' if the resources are public. Additionally, handle preflight requests by responding to 'OPTIONS' HTTP method with the correct 'Access-Control-Allow-Methods' and 'Access-Control-Allow-Headers' headers. It's important to only allow trusted domains and not use a wildcard if sensitive data is involved. Implementing a proper CORS policy will help prevent unauthorized access to your resources.
Awsappsync To remediate CORS issues in AWS AppSync, ensure that your GraphQL API is configured to allow cross-origin requests from trusted domains. This can be achieved by setting the appropriate CORS headers in the AWS AppSync console or through the AWS CLI. Specifically, update the 'Access-Control-Allow-Origin' header to include the domains that should be permitted to access your API. Additionally, verify that the 'Access-Control-Allow-Methods' and 'Access-Control-Allow-Headers' are correctly set to allow the necessary HTTP methods and headers required by your client-side application.
Graphqlgo To mitigate CORS (Cross-Origin Resource Sharing) issues in a GraphQL Go framework engine, ensure that the server is configured to set appropriate CORS headers. Implement a middleware that checks incoming requests for the 'Origin' header and sets the 'Access-Control-Allow-Origin' header in the response accordingly. This header can be set to a specific origin or '\*' to allow all origins. Additionally, handle preflight requests by responding to 'OPTIONS' HTTP method with the correct 'Access-Control-Allow-Methods' and 'Access-Control-Allow-Headers' headers. It's important to only allow trusted origins and to validate and sanitize all inputs to prevent security vulnerabilities.
Graphqlruby To mitigate CORS (Cross-Origin Resource Sharing) issues in a GraphQL Ruby framework, ensure that the Rack CORS middleware is properly configured. This can be done by adding the `rack-cors` gem to your Gemfile and configuring it in `config.ru` or the appropriate configuration file for your server. Set up the CORS rules to allow only trusted origins, specify which HTTP methods are permitted, and control headers and credentials as needed. Regularly review and update your CORS policy to adhere to the principle of least privilege, allowing access only where necessary.
Hasura To remediate CORS issues in the Hasura framework, ensure that the 'cors-config' section in the Hasura configuration file is properly set to allow requests from trusted origins. Use the 'HASURA_GRAPHQL_CORS_DOMAIN' environment variable to specify allowed origins or set it to '\*' to allow all domains during development. For production, list specific domains to restrict access and prevent unwanted cross-origin requests. Additionally, review and apply appropriate CORS policies for security headers like 'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials', and others as per your application's requirements.
Agoo Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Agoo framework to prevent unauthorized cross-origin requests.
Ariadne Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized access in the Ariadne framework.
Caliban Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized cross-origin requests in the Caliban framework.
Dgraph Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized cross-origin requests in the Dgraph framework.
Dianajl Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the dianajl framework engine to prevent unauthorized cross-origin requests.
Directus Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Directus framework to prevent unauthorized cross-origin requests.
Flutter Ensure secure CORS configurations by specifying allowed origins and methods in the Flutter web server settings.
Graphene Ensure proper CORS configuration by specifying allowed origins and methods in the Graphene framework to prevent unauthorized cross-origin requests.
Graphqlapiforwp Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized access in the GraphQL API for WordPress framework.
Graphqlgophergo Implement strict CORS policies and validate origin headers to prevent unauthorized cross-origin requests in the GraphQL Gopher-Go framework.
Graphqljava Ensure proper validation and sanitization of input data in GraphQL queries to prevent injection attacks.
Graphqlphp Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the GraphQL PHP framework to prevent unauthorized cross-origin requests.
Graphqlyoga Ensure proper CORS configuration by specifying allowed origins and methods in the GraphQL Yoga server settings to prevent unauthorized cross-origin requests.
Hypergraphql Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the HyperGraphQL framework to prevent unauthorized cross-origin requests.
Jaal Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized access in the Jaal framework engine.
Juniper Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized cross-origin requests in the Juniper framework.
Lacinia Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Lacinia framework engine to prevent unauthorized cross-origin requests.
Lighthouse Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized cross-origin requests.
Mercurius Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Mercurius framework to prevent unauthorized cross-origin requests.
Morpheusgraphql Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Morpheus GraphQL framework to prevent unauthorized cross-origin requests.
Qglgen Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the qglgen framework to prevent unauthorized cross-origin requests.
Sangria Ensure proper CORS configuration by specifying allowed origins and methods in the Sangria framework to prevent unauthorized cross-origin requests.
Shopify Ensure CORS headers are properly configured to only allow trusted domains and implement CSRF tokens to protect against unauthorized requests in the Shopify framework.
Stepzen Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the StepZen framework to prevent unauthorized cross-origin requests.
Strawberry Ensure proper CORS configuration by specifying allowed origins, methods, and headers to prevent unauthorized cross-origin requests in the Strawberry Framework.
Tartiflette Ensure proper CORS configuration by specifying allowed origins, methods, and headers in the Tartiflette framework to prevent unauthorized cross-origin requests.
Wpgraphql Ensure proper CORS configuration by specifying allowed origins and methods, and validate user input to prevent CSRF vulnerabilities in the WPGraphQL framework.

Configuration

Identifier: protocol/cors

Examples

Ignore this check

checks:
  protocol/cors:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.9
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 942

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References