Feature Value
Type Detection
Risk -
Covered by Agent

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based on returning the value of the Origin request header, "*", or "null" in the response.

If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin. Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It is not recommended to use the Access-Control-Allow-Origin: * header.

More information

How to solve it

Apply a CORS policy that reduces the exposure to attacks.