Imperva Cyber Community

Expand all | Collapse all

How to mitigate CORS?

  • 1.  How to mitigate CORS?

    Posted 04-28-2021 03:24
    We have a scan report which found we are vulnerable to CORS:

    https://mysite.com/cors/
    Access-Control-Allow-Origin: https://www.evil.com
    Access-Control-Allow-Credentials: true Any origin is accepted (Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses)

    Request
    GET /cors/ HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    Host: mysite.com
    Connection: Keep-alive

    How do I add Access-Control-Allow-Origin header with only selected, trusted domains with Securesphere?

    Thanks,
    Noam.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Noam Rotter
    Security Engineer
    Jerusalem
    ------------------------------


  • 2.  RE: How to mitigate CORS?

    Community Manager
    Posted 04-30-2021 09:47
    Hi Noam,

    Thanks so much for posting your question here.

    I have asked some of the product team what they would respond to this one and, as much as I hate to say it, you need to raise it with support as it is quite technical. Sorry that we can't help on this occasion. It would be great to hear an update if you find something interesting that might be useful to the community.

    I look forward to your next post :-)

    Many thanks,

    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 3.  RE: How to mitigate CORS?

    Posted 05-02-2021 01:27
    Hi Sarah,

    Thanks for the update.
    I will continue with the support.

    Regards,
    Noam.

    ------------------------------
    Noam Rotter
    Security Engineer
    ------------------------------



  • 4.  RE: How to mitigate CORS?

    Posted 05-26-2021 17:04
    Hi Noam,

    What is this cases result? If you have a solution, could you share it with us?

    Regards,

    ------------------------------
    Gokhan Durusoy
    Presales Consultant
    Barikat Cyber Security
    Istanbul
    ------------------------------