rspec/rules/S5122/recommended.adoc

== Recommended Secure Coding Practices

* The ``++Access-Control-Allow-Origin++`` header should be set only for a trusted origin and for specific resources. 
* Allow only selected, trusted domains in the ``++Access-Control-Allow-Origin++`` header. Prefer whitelisting domains over blacklisting or allowing any domain (do not use * wildcard nor blindly return the ``++Origin++`` header content without any checks).