- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/symfony-unsafe-cors
Language: PHP
Severity: Error
Category: Security
CWE: 346
This rule is centered around the importance of preventing Cross-Origin Resource Sharing (CORS) vulnerabilities in Symfony applications. The Access-Control-Allow-Origin header determines which origins are allowed to read the response.
The use of a wildcard (*) in the ‘Access-Control-Allow-Origin’ header, which signifies that any origin is allowed, is considered unsafe and can expose your application to potential security risks like Cross-Site Request Forgery (CSRF) and data breaches.
To comply with this rule and ensure the security of your application, it is recommended to always specify the exact domain (origin) that is allowed to access the resources. For instance, instead of using a wildcard (*), use 'Access-Control-Allow-Origin' => 'domain.tld'
. This practice restricts the access to your resources to only the specified domain, thereby reducing potential security risks.
<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => '*'));
$var = ['Access-Control-Allow-Origin' => '*'];
$response = new Response('content', Response::HTTP_OK, $var);
$response->headers->set('access-control-allow-origin', '*');
<?php
$response = new Response('content', Response::HTTP_OK, Array('Access-Control-Allow-Origin' => 'domain.tld'));
$response->headers->set('access-control-allow-origin', 'domain.tld');
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products