This article is a part of our Web Security Knowledge Base (back to index)

Why “Cross-Domain Misconfiguration” can be dangerous

For security reasons browsers by default don’t allow different websites (having different domains) to send any requests between each other. However, there exist scenarios in which that behaviour is desirable. For that reason certain HTTP headers (CORS headers) were introduced to allow you to configure which domains are eligible to get a response from a given url on your website. However, misconfiguration of the headers may cause your website to be vulnerable to CSRF attacks.

How to fix “Cross-Domain Misconfiguration”

Make sure the Access-Control-Allow-Origin header is not excessively permissive (doesn’t have wildcard * as its value). You may also remove all the CORS headers and rely on the browser’s default behaviour (following Same Origin Policy).

How does ScanRepeat report “Cross-Domain Misconfiguration”

ScanRepeat reports urls that have excessively permissive CORS headers.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free