The Cross-Origin Resource Sharing (CORS) mechanism allows many resources (such as fonts or JavaScript) on a web page to be requested from another domain outside the domain from which the resource originated. It’s a crucial feature, but it can also pose a significant security risk if not implemented properly.
This rule is important because it helps prevent potential security vulnerabilities. Specifically, it prevents the misuse of the Access-Control-Allow-Origin header. This header indicates which origins are allowed to read the response from the server. If the server sends back a response with the Access-Control-Allow-Origin: * header, this means it’s allowing all origins to access its resources, which is an unsafe practice.
To adhere to this rule and ensure good coding practices, always specify the exact origin that is allowed to access the resources. For example, instead of using header("Access-Control-Allow-Origin: *");, which allows all origins, use header("Access-Control-Allow-Origin: https://domain.tld");, which only allows the specified domain to access the resources. This ensures that only trusted domains have access to your server’s resources, thereby reducing the risk of cross-site request forgery (CSRF) or data leakage.
Non-Compliant Code Examples
<?php// Insecure: Allowing all origins
header("Access-Control-Allow-Origin: *");
Compliant Code Examples
<?php// Secure: Only allows specified origin
header("Access-Control-Allow-Origin: https://domain.tld");
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- php-security # Rules to enforce PHP security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
