Avoid using an insecure Access-Control-Allow-Origin header
ID: typescript-express/insecure-allow-origin
Language: TypeScript
Severity: Warning
Category: Security
CWE: 346
Description
Setting an Access-Control-Allow-Origin header with an unverified user-defined input can lead to sharing sensitive data with an unintended user.
If this is unavoidable, consider comparing the input against a safe-list.
Learn More
Non-Compliant Code Examples
app.get('/', function (req: Request, res: Response) {
res.set('Access-Control-Allow-Origin', req.headers.foo)
res.set({ "foo": "bar", 'Access-Control-Allow-Origin': req.query.foo })
res.header('Access-Control-Allow-Origin', req.params.foo)
res.setHeader('Access-Control-Allow-Origin', req.body.foo);
res.writeHead(200, { "foo": "bar", 'Access-Control-Allow-Origin': req.cookies.foo })
});
Compliant Code Examples
app.get('/', function (req: Request, res: Response) {
res.set('Access-Control-Allow-Origin', "foo_url")
res.set({ "foo": "bar", 'Access-Control-Allow-Origin': "foo_url" })
res.header('Access-Control-Allow-Origin', "foo_url")
res.setHeader('Access-Control-Allow-Origin', "foo_url");
res.writeHead(200, { "foo": "bar", 'Access-Control-Allow-Origin': "foo_url" })
});
Seamless integrations. Try Datadog Code Analysis