---
title: Avoid unsafe CORS headers
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid unsafe CORS headers
---

# Avoid unsafe CORS headers

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `php-security/unsafe-cors`

**Language:** PHP

**Severity:** Error

**Category:** Security

**CWE**: [346](https://cwe.mitre.org/data/definitions/346.html)

**Related CWEs**:

- [940](https://cwe.mitre.org/data/definitions/940.html)

## Description{% #description %}

The Cross-Origin Resource Sharing (CORS) mechanism allows many resources (such as fonts or JavaScript) on a web page to be requested from another domain outside the domain from which the resource originated. It's a crucial feature, but it can also pose a significant security risk if not implemented properly.

This rule is important because it helps prevent potential security vulnerabilities. Specifically, it prevents the misuse of the `Access-Control-Allow-Origin` header. This header indicates which origins are allowed to read the response from the server. If the server sends back a response with the `Access-Control-Allow-Origin: *` header, this means it's allowing all origins to access its resources, which is an unsafe practice.

To adhere to this rule and ensure good coding practices, always specify the exact origin that is allowed to access the resources. For example, instead of using `header("Access-Control-Allow-Origin: *");`, which allows all origins, use `header("Access-Control-Allow-Origin: https://domain.tld");`, which only allows the specified domain to access the resources. This ensures that only trusted domains have access to your server's resources, thereby reducing the risk of cross-site request forgery (CSRF) or data leakage.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```php
<?php
// Insecure: Allowing all origins
header("Access-Control-Allow-Origin: *");
```

## Compliant Code Examples{% #compliant-code-examples %}

```php
<?php
// Secure: Only allows specified origin
header("Access-Control-Allow-Origin: https://domain.tld");
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}