65 lines
1.3 KiB
Plaintext
65 lines
1.3 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
https://nodejs.org/api/http.html[nodejs http] built-in module:
|
|
|
|
----
|
|
const http = require('http');
|
|
const srv = http.createServer((req, res) => {
|
|
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Sensitive
|
|
res.end('ok');
|
|
});
|
|
srv.listen(3000);
|
|
----
|
|
|
|
|
|
https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:
|
|
|
|
----
|
|
const cors = require('cors');
|
|
|
|
let app1 = express();
|
|
app1.use(cors()); // Sensitive: by default origin is set to *
|
|
|
|
let corsOptions = {
|
|
origin: '*' // Sensitive
|
|
};
|
|
|
|
let app2 = express();
|
|
app2.use(cors(corsOptions));
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
https://nodejs.org/api/http.html[nodejs http] built-in module:
|
|
|
|
----
|
|
const http = require('http');
|
|
const srv = http.createServer((req, res) => {
|
|
res.writeHead(200, { 'Access-Control-Allow-Origin': 'trustedwebsite.com' }); // Compliant
|
|
res.end('ok');
|
|
});
|
|
srv.listen(3000);
|
|
----
|
|
|
|
|
|
https://www.npmjs.com/package/express[Express.js] framework with https://www.npmjs.com/package/cors[cors middleware]:
|
|
|
|
----
|
|
const cors = require('cors');
|
|
|
|
let corsOptions = {
|
|
origin: 'trustedwebsite.com' // Compliant
|
|
};
|
|
|
|
let app = express();
|
|
app.use(cors(corsOptions));
|
|
----
|
|
|
|
include::../see.adoc[]
|