Avoid unsafe CORS headers
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: csharp-security/unsafe-cors
Language: C#
Severity: Warning
Category: Security
CWE: 346
Description
Your CORS policy should never allow all other resources. Instead, you must have a restrictive CORS policy to ensure your application only connects and exchanges data with trusted sources.
Learn More
Non-Compliant Code Examples
class MyClass {
public static void payloadDecode()
{
response.Headers.Add("Access-Control-Allow-Origin", "*");
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*");
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*");
}
}
Compliant Code Examples
class MyClass {
public static void payloadDecode()
{
response.Headers.Add("Access-Control-Allow-Origin", "https://domain.tld");
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://domain.tld");
}
}
