Download Netsparker
Pricing
Blog
Contact
Netsparker

Misconfigured Access-Control-Allow-Origin Header Detected on Target Web Application

Netsparker detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.

Cross-origin resource sharing (CORS) is a mechanism that allows resources (e.g., fonts, JavaScript, etc.) on a web page to be requested outside the domain from which the resource originated.

Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.

Impact

This is generally not appropriate when using the same-origin security policy. The only case where this is appropriate when using the same-origin policy is when a page or API response is considered completely public content and it is intended to be accessible to everyone.

Remedy

If this page is intended to be accessible to everyone, you don't need to take any action. Otherwise please follow the guidelines for different architectures below in order to set this header and permit outside domain.

Apache

  • Add the following line inside either the <directory>, <location>, <files> or <virtualhost> sections of your server config (usually located in httpd.conf or apache.conf), or within a .htaccess file.
    Header set Access-Control-Allow-Origin "domain"
    

IIS6

  1. Open Internet Information Service (IIS) Manager
  2. Right click the site you want to enable CORS for and go to Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter domain as the header value

IIS7

  • Merge the following xml into the web.config file at the root of your application or site:
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.webserver>
        <httpprotocol>
          <customheaders>
            <add name="Access-Control-Allow-Origin" value="domain" />
          </customheaders>
        </httpprotocol>
      </system.webserver>
    </configuration>
    

ASP.NET

  • If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:
    Response.AppendHeader("Access-Control-Allow-Origin", "domain");
    

External References


Go back to the Complete list of Vulnerability Checks.