CORS issue
Hi Can anybody help me with with the following problems that have been identified on a routine security scan
HTML5 Cross Origin Resource Sharing (CORS) policy permits any origin. Cookies Permitted
-
Hello, Could you provide some more information about the specific security scan? Is it running against an individual website? Does it output any additional information? Thank you. 0 -
This is a snip it of the report It is from APPCHECK CVSS: 8.3 Impact/Prob: High/Medium HTML5 Cross Origin Resource Sharing (CORS) policy permits any origin. Cookies Permitted The application implements an HTML5 cross-origin resource sharing (CORS) policy which allows access from any domain. Permitting access from any origin could present a security risk unless the affected application hosts only unprotected public content. CVSS Score: 8.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:P/A:P Impact/Probability: High/Medium Affected: The application implements an HTML5 cross-origin resource sharing (CORS) policy which allows access from any domain. Permitting access from any origin could present a security risk unless the affected application hosts only unprotected public content. This vulnerability check works by submitting a custom Origin header to the target server to determine if all requested origins are permitted. The submitted value is based on the current server domain with an appended parent domain. 1.1.1. Remediation Review the domains which are allowed by the CORS policy in relation to any sensitive content within the application. 1.1.2. Technical Analysis Example: as the origin domain: Origin: access-control-allow-credentials: true The inclusion of the access-control-allow-credentials header means that the site permits authenticated requests using cookies
Can this be fixed through CPanel?0 -
Hello, Review the .htaccess file within the account's home and public_html directories: /home/$username/.htaccess /home/$username/public_html/.htaccess Do you see any entries starting with "Header set Access-Control-Allow-Origin"? If so, you'd need to remove those entries to pass that scan. Thank you. 0 -
There is no entry like this in the .htaccess file on this account 0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Is the support tickets free? We have just recently purchased a license 0 -
ticket raised 8040503 0 -
To update, it looks like the headers were set as part of WordPress PHP files installed on an account. Thank you. 0
Please sign in to leave a comment.
Comments
8 comments