CME-1308

Origin and CORS Validation Enforcement

Harden Application High Confidence

Description

Enforces strict Cross-Origin Resource Sharing (CORS) policies and Origin header validation to prevent cross-origin attacks. Configures CORS headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Credentials) with explicit domain allowlists rather than wildcards. Validates the Origin and Referer headers on all state-changing requests, rejecting requests from unlisted origins. Prevents CSRF and cross-origin data leakage attacks that rely on permissive or absent origin checks.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Strict origin validation forces the attacker to compromise a trusted origin domain or find an origin-bypass vulnerability before executing cross-origin attacks, significantly increasing attack complexity.

CWE Relationships

CWE-346 CWE-352

Verification

Check that CORS headers do not allow wildcard origins

$ curl -s -H 'Origin: https://evil.example.com' -I http://localhost:8080 | grep -i access-control-allow-origin
# Expected: Should not contain * or evil.example.com
Platform: any
← CME-1307: Command Injection Prevention (No Shell Invocation) CME-1309: Script Engine Restriction (Sandbox / Disable) →