Permissive List of Allowed Inputs
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-183: Permissive List of Allowed Inputs |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The application is configured to allow any website to access its resources by setting the Access-Control-Allow-Origin header to ‘*’. This disables the browser’s Same Origin Policy protections and makes your API accessible from any domain.
Impact#
Attackers can use malicious websites to make requests to your API on behalf of users, potentially exposing sensitive data or enabling unauthorized actions. This can lead to data leaks, cross-site request forgery (CSRF), and other security risks if the API is not otherwise protected.