Avoid overly permissive CORS

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/permissive-cors

Language: Java

Severity: Warning

Category: Security

Description

Do not set overly permissive CORS requests. Restrict the host allowed to communicate with to prevent potential malicious requests in your application.

Learn More

Non-Compliant Code Examples

class NotCompliant {
    @GET
    @Path("/some/path")
    public Response getRoute() {
        response.addHeader("Access-Control-Allow-Origin: *");
    }
}
class NotCompliant {
    @GET
    @Path("/some/path")
    public Response getRoute() {
        response.addHeader("Access-Control-Allow-Origin", "*");
    }
}

Compliant Code Examples

class NotCompliant {
    @GET
    @Path("/some/path")
    public Response getRoute() {
        response.addHeader("Access-Control-Allow-Origin", "https://developer.mozilla.org");
    }
}
class NotCompliant {
    @GET
    @Path("/some/path")
    public Response getRoute() {
        response.addHeader("Access-Control-Allow-Origin: https://developer.mozilla.org");
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis