DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Misconfigured CORS in express JS-D002

Security
Major
 a05 cwe-346 cwe-942 sans top 25 owasp top 10

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.

Using *, null or google.com is not a reliable way to ensure security of the application or software.

Bad Practice

const express = require('express');
const app = express();
app.get('/', function (req, res) {
    res.writeHead(200, { 'Access-Control-Allow-Origin': '*' });
});

Recommended

const express = require('express');
const app = express();
app.get('/', function (req, res) {
    res.set('access-control-allow-origin', 'xyz.com');
});

References