Avoid unsafe CORS headers

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/unsafe-cors

Language: C#

Severity: Warning

Category: Security

CWE: 346

Description

Your CORS policy should never allow all other resources. Instead, you must have a restrictive CORS policy to ensure your application only connects and exchanges data with trusted sources.

Learn More

Non-Compliant Code Examples

class MyClass {
    public static void payloadDecode()
    {
        response.Headers.Add("Access-Control-Allow-Origin", "*");
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*");
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*");
    }
}

Compliant Code Examples

class MyClass {
    public static void payloadDecode()
    {
        response.Headers.Add("Access-Control-Allow-Origin", "https://domain.tld");
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis