Severity: Low
Netsparker detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.
Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.
Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.
Apache
httpd.conf
or apache.conf
), or within a .htaccess
file.Header set Access-Control-Allow-Origin "domain
"
IIS6
domain
as the header valueIIS7
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.webserver>
<httpprotocol>
<customheaders>
<add name="Access-Control-Allow-Origin" value="domain
" />
</customheaders>
</httpprotocol>
</system.webserver>
</configuration>
ASP.NET
Response.AppendHeader("Access-Control-Allow-Origin", "domain
");