Avoid unsafe CORS headers in Symfony
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: php-security/symfony-unsafe-cors
Language: PHP
Severity: Error
Category: Security
CWE: 346
Description
This rule is centered around the importance of preventing Cross-Origin Resource Sharing (CORS) vulnerabilities in Symfony applications. The Access-Control-Allow-Origin header determines which origins are allowed to read the response.
The use of a wildcard (*) in the ‘Access-Control-Allow-Origin’ header, which signifies that any origin is allowed, is considered unsafe and can expose your application to potential security risks like Cross-Site Request Forgery (CSRF) and data breaches.
To comply with this rule and ensure the security of your application, it is recommended to always specify the exact domain (origin) that is allowed to access the resources. For instance, instead of using a wildcard (*), use 'Access-Control-Allow-Origin' => 'domain.tld'
. This practice restricts the access to your resources to only the specified domain, thereby reducing potential security risks.
Non-Compliant Code Examples
<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => '*'));
$var = ['Access-Control-Allow-Origin' => '*'];
$response = new Response('content', Response::HTTP_OK, $var);
$response->headers->set('access-control-allow-origin', '*');
Compliant Code Examples
<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => 'domain.tld'));
$response->headers->set('access-control-allow-origin', 'domain.tld');