- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/unsafe-cors
Language: PHP
Severity: Error
Category: Security
CWE: 346
The Cross-Origin Resource Sharing (CORS) mechanism allows many resources (such as fonts or JavaScript) on a web page to be requested from another domain outside the domain from which the resource originated. It’s a crucial feature, but it can also pose a significant security risk if not implemented properly.
This rule is important because it helps prevent potential security vulnerabilities. Specifically, it prevents the misuse of the Access-Control-Allow-Origin
header. This header indicates which origins are allowed to read the response from the server. If the server sends back a response with the Access-Control-Allow-Origin: *
header, this means it’s allowing all origins to access its resources, which is an unsafe practice.
To adhere to this rule and ensure good coding practices, always specify the exact origin that is allowed to access the resources. For example, instead of using header("Access-Control-Allow-Origin: *");
, which allows all origins, use header("Access-Control-Allow-Origin: https://domain.tld");
, which only allows the specified domain to access the resources. This ensures that only trusted domains have access to your server’s resources, thereby reducing the risk of cross-site request forgery (CSRF) or data leakage.
<?php
// Insecure: Allowing all origins
header("Access-Control-Allow-Origin: *");
<?php
// Secure: Only allows specified origin
header("Access-Control-Allow-Origin: https://domain.tld");
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products