Permissive Access-Control-Allow-Origin configuration

• Rule ID: python_django_permissive_allow_origin
• Languages: python
• Source: permissive_allow_origin.yml

Description

A permissive Access-Control-Allow-Origin configuration can expose your application to security risks. When this header is set to "*", it means your application's responses can be accessed by any website, potentially leading to unauthorized access to sensitive information.

Remediations

• Do not set the Access-Control-Allow-Origin header to "*". This overly permissive setting can make your application vulnerable to attacks.

  response.headers['Access-Control-Allow-Origin'] = '*' # unsafe

• Do restrict the Access-Control-Allow-Origin header to only allow specific, trusted origins that need access to your application. This minimizes the risk of sensitive data exposure.

  response.headers['Access-Control-Allow-Origin'] = 'myapp.example.com'

References

• OWASP Origin & Access-Control-Allow-Origin

Associated CWE

• CWE-942: Permissive Cross-domain Policy with Untrusted Domains

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_permissive_allow_origin

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_permissive_allow_origin