JavaScript logoJavaScript/
JS-D002

Misconfigured CORS in expressJS-D002

Major severityMajor
Security categorySecurity
a05, cwe-346, cwe-942, 2021, sans-top-25, owasp-top-10

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.

Using *, null or google.com is not a reliable way to ensure security of the application or software.

Bad Practice

const express = require('express');
const app = express();
app.get('/', function (req, res) {
    res.writeHead(200, { 'Access-Control-Allow-Origin': '*' });
});
const express = require('express');
const app = express();
app.get('/', function (req, res) {
    res.set('access-control-allow-origin', 'xyz.com');
});

References