include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Django:

----
CORS_ORIGIN_ALLOW_ALL = True # Sensitive
----

Flask:

----
from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "True"}}) # Sensitive
----

User-controlled origin:

[source,python]
----
origin = request.headers['ORIGIN']
resp = Response()
resp.headers['Access-Control-Allow-Origin'] = origin # Sensitive
----

== Compliant Solution

Django:

[source,python]
----
CORS_ORIGIN_ALLOW_ALL = False # Compliant
----

Flask:

[source,python]
----
from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "False"}}) # Compliant
----

User-controlled origin validated with an allow-list:

[source,python]
----
origin = request.headers['ORIGIN']
resp = Response()
if origin in TRUSTED_ORIGINS:
   resp.headers['Access-Control-Allow-Origin'] = origin
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]