Missing Access-Control-Allow-Origin HTTP header

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This publicly exposed API endpoint does not implement the Access-Control-Allow-Origin (ACAO) header, which may allow attackers to exploit Cross-Origin Resource Sharing (CORS) vulnerabilities. Without this header properly configured, the API may be vulnerable to cross-site request forgery (CSRF) attacks where malicious websites could make unauthorized requests to the API using the user’s credentials.

Remediation

Implement the Access-Control-Allow-Origin (ACAO) header in all API responses with appropriate values:

  • Use specific origins instead of the wildcard ‘*’ .
  • Only allow trusted domains that need access to the API.

Example header value:

Access-Control-Allow-Origin: https://trusted-domain.com