Permissive Cross-domain Policy with Untrusted Domains
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
The CORS policy is configured to allow requests from any origin (’*’), which means any website can interact with your API. This setup is insecure because it removes restrictions on who can access your endpoints.
Impact#
If exploited, malicious websites could make unauthorized requests to your API, potentially exposing sensitive data or enabling CSRF-style attacks. This could lead to data leaks, unauthorized actions, or compromise of user information.