Missing Access-Control-Allow-Origin HTTP header

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint does not implement the Access-Control-Allow-Origin (ACAO) header, which may allow attackers to exploit Cross-Origin Resource Sharing (CORS) vulnerabilities. Without this header properly configured, the API may be vulnerable to cross-site request forgery (CSRF) attacks where malicious websites could make unauthorized requests to the API using the user’s credentials.

Remediation

Implement the Access-Control-Allow-Origin (ACAO) header in all API responses with appropriate values:

  • Use specific origins instead of the wildcard ‘*’ .
  • Only allow trusted domains that need access to the API.

Example header value:

Access-Control-Allow-Origin: https://trusted-domain.com