Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageMisconfigured CORS in expressJS-D002
Major
Security a05, cwe-346, cwe-942, 2021, sans-top-25, owasp-top-10
Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.
Using *, null or google.com is not a reliable way to ensure security of the application or software.
Bad Practice
const express = require('express');
const app = express();
app.get('/', function (req, res) {
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' });
});
Recommended
const express = require('express');
const app = express();
app.get('/', function (req, res) {
res.set('access-control-allow-origin', 'xyz.com');
});