include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://nodejs.org/api/http.html[nodejs http] built-in module:

----
const http = require('http');
const srv = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Sensitive
  res.end('ok');
});
srv.listen(3000);
----

https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:

----
const cors = require('cors');

let app1 = express();
app1.use(cors()); // Sensitive: by default origin is set to *

let corsOptions = {
  origin: '*' // Sensitive
};

let app2 = express();
app2.use(cors(corsOptions));
----

== Compliant Solution

https://nodejs.org/api/http.html[nodejs http] built-in module:

----
const http = require('http');
const srv = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': 'trustedwebsite.com' }); // Compliant
  res.end('ok');
});
srv.listen(3000);
----

https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:

----
const cors = require('cors');

let corsOptions = {
  origin: 'trustedwebsite.com' // Compliant
};

let app = express();
app.use(cors(corsOptions));
----

include::../see.adoc[]