Avoid unsafe CORS headers This product is not supported for your selected
Datadog site . (
).
TRY THIS RULE ID: csharp-security/unsafe-cors
Language: C#
Severity: Warning
Category: Security
CWE : 346
Description Your CORS policy should never allow all other resources. Instead, you must have a restrictive CORS policy to ensure your application only connects and exchanges data with trusted sources.
Learn More Non-Compliant Code Examples namespace Foo
{
public class Startup
{
public IConfiguration Configuration { get ; }
public void ConfigureServices ( IServiceCollection services )
{
services . AddCors ( o => o . AddPolicy ( "AllowAllPolicy" , options =>
{
options . AllowAnyOrigin ()
. AllowAnyMethod ()
. AllowAnyHeader ()
. WithExposedHeaders ( "X-InlineCount" );
}));
}
}
class MyClass {
public static void run ()
{
app . UseCors ( builder =>
builder
. AllowAnyOrigin ()
. AllowAnyMethod ()
. AllowAnyHeader ());
}
}
class MyClass {
public static void payloadDecode ()
{
response . Headers . Add ( "Access-Control-Allow-Origin" , "*" );
response . Headers . Add ( HeaderNames . AccessControlAllowOrigin , "*" );
response . AppendHeader ( HeaderNames . AccessControlAllowOrigin , "*" );
}
}
Compliant Code Examples class MyClass {
public static void payloadDecode ()
{
response . Headers . Add ( "Access-Control-Allow-Origin" , "https://domain.tld" );
response . Headers . Add ( HeaderNames . AccessControlAllowOrigin , "https://domain.tld" );
response . AppendHeader ( HeaderNames . AccessControlAllowOrigin , "https://domain.tld" );
}
}
class MyClass {
public static void run ()
{
app . UseCors ( builder =>
builder
. WithOrigins ( "https://myfrontend.example.com" )
. AllowAnyMethod ()
. AllowAnyHeader ());
}
}
Seamless integrations. Try Datadog Code Security
