Access-Control-Allow-Origin Header¶

Description¶

Access-Control-Allow-Origin header is missing or set to *

Remediation¶

Set Access-Control-Allow-Origin header to a specific origin

GraphQL Specific¶

Apollo

To remediate the 'Access-Control-Allow-Origin' header issue in the Apollo framework, ensure that the Apollo Server is configured to set the appropriate CORS policies. This can be achieved by using the 'cors' option in the Apollo Server constructor, where you can specify the domains allowed to access your GraphQL endpoint. For example, to allow requests from 'https://example.com', you would set the 'cors' option to '{ origin: 'https://example.com' }'. If you need to allow multiple domains or use more complex rules, you can provide a function to the 'origin' option to dynamically determine the allowed origin based on the incoming request. Always restrict the 'Access-Control-Allow-Origin' header to the specific domains that should have access, and avoid using the wildcard '\*' in a production environment as it allows any domain to send requests.

Yoga

To remediate the 'Access-Control-Allow-Origin' header issue in the Yoga framework engine, ensure that the CORS policy is configured properly. Set the 'Access-Control-Allow-Origin' header to the specific origins that should be allowed to access the resources, rather than using a wildcard '\*'. This can be done by modifying the CORS configuration in the Yoga server setup to include only trusted domains, or by implementing a more dynamic approach that checks the origin against a whitelist before setting the header. Additionally, consider using credentials with CORS if authentication is required, and ensure that the 'Access-Control-Allow-Credentials' header is set to 'true' only for trusted origins.

Awsappsync

To remediate the 'Access-Control-Allow-Origin' header issue in AWS AppSync, ensure that the CORS configuration for your GraphQL API is correctly set. In the AWS AppSync console, navigate to your API settings and under the 'Default Settings' section, specify the domains that are allowed to access your API by setting the 'Access-Control-Allow-Origin' header. Use a specific domain or a wildcard to define the allowed origins. Additionally, review and adjust other CORS headers such as 'Access-Control-Allow-Headers' and 'Access-Control-Allow-Methods' to control the allowed headers and HTTP methods for cross-origin requests. Always follow the principle of least privilege, granting only necessary permissions to minimize security risks.

Graphqlgo

To remediate the Access-Control-Allow-Origin header issue in a GraphQL Go framework engine, ensure that the server only allows specific trusted domains to access your resources. Implement a middleware that checks the Origin header against a whitelist of allowed domains before setting the Access-Control-Allow-Origin header accordingly. Avoid using the wildcard '\*' in production environments as it allows any domain to access your resources. Additionally, consider using a library or framework feature that supports CORS configuration to manage these headers more effectively.

Graphqlruby

To remediate the 'Access-Control-Allow-Origin' header issue in a GraphQL Ruby framework engine, ensure that the CORS policy is configured correctly. Use the 'rack-cors' middleware or a similar CORS handling library to define which origins are allowed to access your GraphQL API. Set up a strict policy that only permits specific domains and ensure that credentials are handled securely if allowed. Regularly review and update the CORS policy to adapt to changes in your application's consumption patterns.

Hasura

Configure the 'Access-Control-Allow-Origin' header in the Hasura engine's settings to specify a whitelist of origins that are permitted to access the resources. Ensure that the header is not set to '\*', which would allow any domain to access your resources, and instead define explicit URIs that need access. This can be done by modifying the 'HASURA_GRAPHQL_CORS_DOMAIN' environment variable or through custom middleware if you're using Hasura with a proxy server.

Agoo

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Agoo framework to prevent unauthorized cross-origin requests.

Ariadne

Ensure that the 'Access-Control-Allow-Origin' header is explicitly set to a specific, trusted domain in the Ariadne framework engine to prevent unauthorized cross-origin requests.

Caliban

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Caliban framework to prevent unauthorized cross-origin requests.

Dgraph

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in your Dgraph framework configuration to prevent unauthorized cross-origin requests.

Dianajl

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the DianaJL framework engine to prevent unauthorized cross-origin requests.

Directus

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the Directus framework to prevent unauthorized cross-origin requests.

Flutter

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in your Flutter application to prevent unauthorized cross-origin requests.

Graphene

Ensure that the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in your Graphene framework engine to prevent unauthorized cross-origin requests.

Graphqlapiforwp

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the GraphQL API for WP framework to prevent unauthorized cross-origin requests.

Graphqlgophergo

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the GraphQL Gopher framework to prevent unauthorized cross-origin requests.

Graphqljava

Ensure the `Access-Control-Allow-Origin` header is set to a specific domain in the GraphQL Java framework to prevent unauthorized cross-origin requests.

Graphqlphp

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the GraphQL PHP framework to prevent unauthorized cross-origin requests.

Graphqlyoga

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the GraphQL Yoga server configuration to prevent unauthorized cross-origin requests.

Hypergraphql

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the HyperGraphQL framework engine to prevent unauthorized cross-origin requests.

Jaal

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Jaal framework engine to prevent unauthorized cross-origin requests.

Juniper

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain to prevent unauthorized cross-origin requests in the Juniper framework engine.

Lacinia

Ensure the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in the Lacinia framework to prevent unauthorized cross-origin requests.

Lighthouse

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain to prevent unauthorized cross-origin requests.

Mercurius

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Mercurius framework to prevent unauthorized cross-origin requests.

Morpheusgraphql

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Morpheus GraphQL framework to prevent unauthorized cross-origin requests.

Qglgen

Ensure that the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in the gqlgen framework to prevent unauthorized cross-origin requests.

Sangria

Ensure that the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in the Sangria framework to prevent unauthorized cross-origin requests.

Shopify

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain to prevent unauthorized access in the Shopify framework.

Stepzen

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the StepZen framework engine to restrict access and enhance security.

Strawberry

Ensure that the 'Access-Control-Allow-Origin' header is explicitly set to a specific, trusted domain in the Strawberry Framework engine to prevent unauthorized cross-origin requests.

Tartiflette

Ensure that the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in the Tartiflette framework engine to prevent unauthorized cross-origin requests.

Wpgraphql

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the wpgraphql framework to prevent unauthorized cross-origin requests.

REST Specific¶

Asp_net

In the ASP.NET framework, ensure that the 'Access-Control-Allow-Origin' header is properly set in the web.config file or directly in the response headers to specify allowed domains, rather than using '\*' which allows any domain.

Ruby_on_rails

In Ruby on Rails, ensure that the 'Access-Control-Allow-Origin' header is set correctly in your responses. Use the 'rack-cors' gem for handling Cross-Origin Resource Sharing (CORS), and configure it to specify allowed origins. Avoid setting the header to '\*', which allows any domain to access your resources, and instead define a whitelist of domains that are permitted to make requests to your application.

Next_js

In Next.js, ensure that API routes or pages sending responses set the 'Access-Control-Allow-Origin' header appropriately. Use the Next.js API middleware to intercept outgoing responses and conditionally set the header to specific origins or handle CORS policy more comprehensively with a package like 'nextjs-cors'.

Laravel

In Laravel, ensure that your routes or controllers that serve API responses include the 'Access-Control-Allow-Origin' header with the appropriate domain. You can do this by using middleware to set the header or by manually adding the header to the response. For example, use `->header('Access-Control-Allow-Origin', 'http://example.com')` to set the header for a specific domain or handle CORS globally with a middleware that conditionally sets the header based on the request origin.

Express_js

In Express.js, ensure that the 'Access-Control-Allow-Origin' header is set to the specific origin(s) that should be allowed to access the resource, rather than '\*' for unrestricted access. Use middleware such as 'cors' to configure this header properly. For example: `app.use(cors({ origin: 'https://example.com' }));` where 'https://example.com' is the allowed origin.

Django

In Django, ensure that the 'Access-Control-Allow-Origin' header is properly set by using the 'CORS_ORIGIN_WHITELIST' setting in the 'django-cors-headers' library. Configure it with a list of allowed domains to restrict cross-origin access to trusted sources.

Symfony

In Symfony, ensure that the 'Access-Control-Allow-Origin' header is properly set by using the 'nelmio_cors' bundle or by manually configuring the 'Response' object's headers to specify the allowed origins. Avoid using '\*' for sensitive resources to prevent Cross-Origin Resource Sharing (CORS) vulnerabilities.

Spring_boot

In Spring Boot, configure CORS globally by extending the `WebMvcConfigurer` and overriding the `addCorsMappings` method, or use `@CrossOrigin` annotations on individual controllers or handler methods to specify allowed origins. Avoid setting `Access-Control-Allow-Origin` to `*` in production.

Flask

In Flask, set the 'Access-Control-Allow-Origin' header to the specific origin domain instead of '\*' or use Flask-CORS extension to handle CORS with more granularity.

Nuxt

Ensure that the server-side application sets the 'Access-Control-Allow-Origin' header to the specific origins that should be allowed to access the resources, rather than using '\*' which allows any domain to access your resources. In Nuxt.js, you can configure this in your server middleware or by using modules like '@nuxtjs/proxy' for development and setting proper CORS headers in your production environment.

Fastapi

In FastAPI, ensure that the CORS (Cross-Origin Resource Sharing) middleware is properly configured. Use the `CORSMiddleware` and specify the `allow_origins` parameter with a list of allowed domains instead of using `*`. For example, `app.add_middleware(CORSMiddleware, allow_origins=['https://example.com'], allow_credentials=True, allow_methods=['*'], allow_headers=['*'])`. This will restrict cross-origin requests to the specified domains and mitigate potential security risks associated with the `Access-Control-Allow-Origin` header.

Frappe

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the Frappe framework to prevent unauthorized cross-origin requests.

Genzio

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Genzio framework engine to prevent unauthorized cross-origin requests.

Gin

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in your Gin framework application to prevent unauthorized cross-origin requests. Avoid using '\*' as it allows any domain to access your resources, which can lead to security vulnerabilities.

Gorilla

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain to prevent unauthorized cross-origin requests.

Hapi

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in your Hapi server configuration to prevent unauthorized cross-origin requests.

Hono

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain to prevent unauthorized cross-origin requests in the Hono framework engine.

Jersey

Ensure the 'Access-Control-Allow-Origin' header is set to a specific domain in the Jersey framework to prevent unauthorized cross-origin requests.

Koa

Ensure the `Access-Control-Allow-Origin` header is set to a specific domain in your Koa application to prevent unauthorized cross-origin requests. Avoid using `*` as it allows any domain to access your resources.

Ktor

Ensure the `Access-Control-Allow-Origin` header is set to a specific domain in the Ktor framework by configuring CORS in your application settings to allow only trusted origins.

Leptos

Ensure the `Access-Control-Allow-Origin` header is set to a specific domain to restrict cross-origin requests in the Leptos framework.

Macaron

Ensure the 'Access-Control-Allow-Origin' header is set to a specific, trusted domain in the Macaron framework to prevent unauthorized cross-origin requests.

Phoenix

Ensure the `Access-Control-Allow-Origin` header is set to a specific domain in your Phoenix framework application to restrict cross-origin requests and enhance security.

Redwoodjs

Ensure that the `Access-Control-Allow-Origin` header is set to a specific domain in your RedwoodJS application to prevent unauthorized cross-origin requests. Avoid using `*` as it allows any domain to access your resources, which can lead to security vulnerabilities.

Rocket

Ensure the `Access-Control-Allow-Origin` header is set to a specific, trusted domain to prevent unauthorized cross-origin requests in the Rocket framework.

Sveltekit

Ensure that the `Access-Control-Allow-Origin` header is set to a specific, trusted domain in your SvelteKit application to prevent unauthorized cross-origin requests. Avoid using `*` as it allows any domain to access your resources, which can lead to security vulnerabilities.

Configuration¶

Identifier: protocol/header_access_control_allow_origin

Examples¶

Ignore this check¶

checks:
  protocol/header_access_control_allow_origin:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM06:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.1
nist: SP800-53
fedramp: AC-4

Classification¶

CWE: 346

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS_SCORE: 4.3

References¶

https://owasp.org/www-community/Security_Headers
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html