Avoid unsafe CORS headers

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Avoid unsafe CORS headers

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/unsafe-cors

Language: C#

Severity: Warning

Category: Security

CWE: 346

Related CWEs:

Description

Your CORS policy should never allow all other resources. Instead, you must have a restrictive CORS policy to ensure your application only connects and exchanges data with trusted sources.

Learn More

Non-Compliant Code Examples

namespace Foo
{
    public class Startup
    {

        public IConfiguration Configuration { get; }

        public void ConfigureServices(IServiceCollection services)
        {

            services.AddCors(o => o.AddPolicy("AllowAllPolicy", options =>
            {
                options.AllowAnyOrigin()
                        .AllowAnyMethod()
                        .AllowAnyHeader()
                        .WithExposedHeaders("X-InlineCount");
            }));
        }
    }

class MyClass {
    public static void run()
    {
        app.UseCors(builder =>
            builder
                .AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader());
    }
}

class MyClass {
    public static void payloadDecode()
    {
        response.Headers.Add("Access-Control-Allow-Origin", "*");
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*");
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*");
    }
}

Compliant Code Examples

class MyClass {
    public static void payloadDecode()
    {
        response.Headers.Add("Access-Control-Allow-Origin", "https://domain.tld");
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
    }
}

class MyClass {
    public static void run()
    {
        app.UseCors(builder =>
            builder
                .WithOrigins("https://myfrontend.example.com")
                .AllowAnyMethod()
                .AllowAnyHeader());
    }
}