ASVS Requirement 3.4.2

• Level: 1
• Chapter: V3 Web Frontend Security
• Section: V3.4 Browser Security Mechanism Headers
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is a fixed value by the application, or if the Origin HTTP request header field value is used, it is validated against an allowlist of trusted origins. When 'Access-Control-Allow-Origin: *' needs to be used, verify that the response does not include any sensitive information.