Misconfigured Access-Control-Allow-Origin Header

Severity: Low
Summary#

Invicti detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.

Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.

Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.

Impact#
This is generally not appropriate when using the same-origin security policy. The only case where this is appropriate when using the same-origin policy is when a page or API response is considered completely public content and it is intended to be accessible to everyone.
Remediation#
If this page is intended to be accessible to everyone, you don't need to take any action. Otherwise please follow the guidelines for different architectures below in order to set this header and permit outside domain.

Apache

  • Add the following line inside either the <directory>, <location>, <files> or <virtualhost> sections of your server config (usually located in httpd.conf or apache.conf), or within a .htaccess file.
    Header set Access-Control-Allow-Origin "domain"
    

IIS6

  1. Open Internet Information Service (IIS) Manager
  2. Right click the site you want to enable CORS for and go to Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter domain as the header value

IIS7

  • Merge the following xml into the web.config file at the root of your application or site:
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.webserver>
        <httpprotocol>
          <customheaders>
            <add name="Access-Control-Allow-Origin" value="domain" />
          </customheaders>
        </httpprotocol>
      </system.webserver>
    </configuration>
    

ASP.NET

  • If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:
    Response.AppendHeader("Access-Control-Allow-Origin", "domain");
    
Further Reading#

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works