Misconfigured CORS in expressJS-D002
a05, cwe-346, cwe-942, 2021, sans-top-25, owasp-top-10
Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.
Using *
, null
or google.com
is not a reliable way to ensure security of the application or software.
Bad Practice
const express = require('express');
const app = express();
app.get('/', function (req, res) {
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' });
});
Recommended
const express = require('express');
const app = express();
app.get('/', function (req, res) {
res.set('access-control-allow-origin', 'xyz.com');
});