Avoid unsafe CORS headers in Symfony

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/symfony-unsafe-cors

Language: PHP

Severity: Error

Category: Security

CWE: 346

Description

This rule is centered around the importance of preventing Cross-Origin Resource Sharing (CORS) vulnerabilities in Symfony applications. The Access-Control-Allow-Origin header determines which origins are allowed to read the response.

The use of a wildcard (*) in the ‘Access-Control-Allow-Origin’ header, which signifies that any origin is allowed, is considered unsafe and can expose your application to potential security risks like Cross-Site Request Forgery (CSRF) and data breaches.

To comply with this rule and ensure the security of your application, it is recommended to always specify the exact domain (origin) that is allowed to access the resources. For instance, instead of using a wildcard (*), use 'Access-Control-Allow-Origin' => 'domain.tld'. This practice restricts the access to your resources to only the specified domain, thereby reducing potential security risks.

Non-Compliant Code Examples

<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => '*'));

$var = ['Access-Control-Allow-Origin' => '*'];
$response = new Response('content', Response::HTTP_OK, $var);

$response->headers->set('access-control-allow-origin', '*');

Compliant Code Examples

<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => 'domain.tld'));

$response->headers->set('access-control-allow-origin', 'domain.tld');
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis