Setting an overly permissive Cross-Origin Resource Sharing (CORS) policy allows malicious websites to read responses from your application on behalf of authenticated users.

Why is this an issue?

Same-origin policy in browsers prevents JavaScript from making cross-origin HTTP requests to resources with a different origin (domain, protocol, or port). The Cross-Origin Resource Sharing (CORS) mechanism allows servers to relax this restriction by including Access-Control-Allow-Origin response headers that tell browsers which origins are permitted.

Setting the Access-Control-Allow-Origin header to a wildcard (*) or dynamically reflecting a user-supplied Origin header without validation completely disables same-origin protection for the affected resource.

What is the potential impact?

Sensitive data exposure

When CORS restrictions are disabled, a malicious website visited by an authenticated user can issue cross-origin requests to the vulnerable application and read the responses. This allows attackers to steal sensitive data accessible to the victim, such as account details, API keys, or private application data.

Account takeover

If the application is also configured with Access-Control-Allow-Credentials: true, the browser will include cookies and HTTP authentication headers in cross-origin requests. Attackers can then perform authenticated operations on behalf of the victim, potentially leading to full account takeover or unauthorized data modification.

How to fix it in Django

Set CORS_ORIGIN_ALLOW_ALL to False and configure specific allowed origins.

Code examples

Noncompliant code example

CORS_ORIGIN_ALLOW_ALL = True # Noncompliant

Compliant solution

CORS_ORIGIN_ALLOW_ALL = False

How to fix it in Flask

Configure the CORS extension with specific allowed origins and validate user-supplied origins against an allow-list.

Code examples

Noncompliant code example

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*"}}) # Noncompliant

User-controlled origin:

origin = request.headers['ORIGIN']
resp = Response()
resp.headers['Access-Control-Allow-Origin'] = origin # Noncompliant

Compliant solution

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)

TRUSTED_ORIGINS = [
    "https://example.com",
]

CORS(app, resources={r"/*": {"origins": TRUSTED_ORIGINS}})

User-controlled origin validated with an allow-list:

TRUSTED_ORIGINS = ["https://example.com"]
origin = request.headers['ORIGIN']
resp = Response()
if origin in TRUSTED_ORIGINS:
   resp.headers['Access-Control-Allow-Origin'] = origin

Resources

Documentation

• MDN - Cross-Origin Resource Sharing (CORS)
• MDN - Same-origin policy
• OWASP HTML5 Security Cheat Sheet - Cross Origin Resource Sharing

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• CWE - CWE-346 - Origin Validation Error
• CWE - CWE-942 - Overly Permissive Cross-domain Whitelist