Invicti detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.
Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.
Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.
- Add the following line inside either the <directory>, <location>, <files> or <virtualhost> sections of your server config (usually located in
apache.conf), or within a
Header set Access-Control-Allow-Origin "
- Open Internet Information Service (IIS) Manager
- Right click the site you want to enable CORS for and go to Properties
- Change to the HTTP Headers tab
- In the Custom HTTP headers section, click Add
- Enter Access-Control-Allow-Origin as the header name
domainas the header value
- Merge the following xml into the web.config file at the root of your application or site:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.webserver> <httpprotocol> <customheaders> <add name="Access-Control-Allow-Origin" value="
domain" /> </customheaders> </httpprotocol> </system.webserver> </configuration>
- If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages: