Permissive Access-Control-Allow-Origin configuration

• Rule ID: php_symfony_permissive_allow_origin
• Languages: php
• Source: permissive_allow_origin.yml

Description

A permissive Access-Control-Allow-Origin configuration can expose your application to security risks. When this header is set to "*", it means your application's responses can be accessed by any website, potentially leading to unauthorized access to sensitive information.

Remediations

• Do not set the Access-Control-Allow-Origin header to "*". This overly permissive setting can make your application vulnerable to attacks.

  $response = new Response();
  $response->headers->set('Access-Control-Allow-Origin', "*"); // unsafe

• Do restrict the Access-Control-Allow-Origin header to only allow specific, trusted origins that need access to your application. This minimizes the risk of sensitive data exposure.

  $response = new Response();
  $response->headers->set('Access-Control-Allow-Origin', "myapp.example.com");

References

• OWASP Origin & Access-Control-Allow-Origin

Associated CWE

• CWE-942: Permissive Cross-domain Policy with Untrusted Domains

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_permissive_allow_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_permissive_allow_origin