include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://nodejs.org/api/http.html[nodejs http] built-in module:

[source,javascript]
----
const http = require('http');
const srv = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Sensitive
  res.end('ok');
});
srv.listen(3000);
----

https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:

[source,javascript]
----
const cors = require('cors');

let app1 = express();
app1.use(cors()); // Sensitive: by default origin is set to *

let corsOptions = {
  origin: '*' // Sensitive
};

let app2 = express();
app2.use(cors(corsOptions));
----

User-controlled origin:

[source,javascript]
----
function (req, res) {
  const origin = req.header('Origin');
  res.setHeader('Access-Control-Allow-Origin', origin); // Sensitive
};
----

== Compliant Solution

https://nodejs.org/api/http.html[nodejs http] built-in module:

[source,javascript]
----
const http = require('http');
const srv = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': 'trustedwebsite.com' }); // Compliant
  res.end('ok');
});
srv.listen(3000);
----

https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:

[source,javascript]
----
const cors = require('cors');

let corsOptions = {
  origin: 'trustedwebsite.com' // Compliant
};

let app = express();
app.use(cors(corsOptions));
----

User-controlled origin validated with an allow-list:

[source,javascript]
----
function (req, res) {
  const origin = req.header('Origin');

  if (trustedOrigins.indexOf(origin) >= 0) {
    res.setHeader('Access-Control-Allow-Origin', origin);
  }
};
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 6 Jan 2019, 17:05:39 Lars Svensson wrote:
https://nodejs.org/api/http.html

https://nodejs.org/api/https.html

https://expressjs.com/en/4x/api.html

https://www.npmjs.com/package/cors

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]