Access-Control-Allow-Origin header with wildcard (*) value

Description

Cross-Origin Resource Sharing (CORS) is a security mechanism that controls how web resources can be accessed across different domains. The Access-Control-Allow-Origin response header specifies which origins are permitted to read the response. When this header is set to a wildcard value (*), it allows any website on the internet to make cross-origin requests and read the response data. While this configuration may be appropriate for truly public resources, it can expose sensitive data or functionality if applied incorrectly.

Remediation

Review all endpoints returning the Access-Control-Allow-Origin: * header and implement the following remediation steps:

1. Identify Resource Sensitivity:
Determine whether the resource contains sensitive data or functionality. Only truly public resources (e.g., public fonts, images, or open APIs) should use the wildcard value.

2. Implement Origin Whitelisting:
For resources that should be shared with specific domains only, validate the Origin header against a whitelist and echo back only approved origins:

// Example: Node.js/Express
const allowedOrigins = ['https://trusted-site.com', 'https://app.example.com'];
const origin = req.headers.origin;

if (allowedOrigins.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
}

// Example: Apache .htaccess
SetEnvIf Origin "^https://(trusted-site\.com|app\.example\.com)$" ORIGIN_ALLOWED=$0
Header set Access-Control-Allow-Origin "%{ORIGIN_ALLOWED}e" env=ORIGIN_ALLOWED

// Example: Nginx
set $cors '';
if ($http_origin ~* '^https://(trusted-site\.com|app\.example\.com)$') {
    set $cors $http_origin;
}
add_header Access-Control-Allow-Origin $cors;

References

Related Vulnerabilities