We have a scan report which found we are vulnerable to CORS:
https://mysite.com/cors/Access-Control-Allow-Origin:
https://www.evil.comAccess-Control-Allow-Credentials: true Any origin is accepted (Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses)
Request
GET /cors/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: mysite.com
Connection: Keep-alive
How do I add Access-Control-Allow-Origin header with only selected, trusted domains with Securesphere?
Thanks,
Noam.
#On-PremisesWAF(formerlySecuresphere)------------------------------
Noam Rotter
Security Engineer
Jerusalem
------------------------------