rules/findings/azure/appservices/azure-app-service-cors-all-origins.allowed.json
|
{
"args": [], "provider": "Azure", "serviceType": "_ARG_0_", "serviceName": "Hosted Services", "displayName": "Ensure cross-origin resource sharing does not allow all", "description": "Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.", "rationale": "Restrict CORS to only trusted origins to help enforce proper access control and reduce exposure to malicious cross-origin requests.", "impact": "Configuration is required to ensure that the appropriate origins have access.<br/><br/>Setting up a proper CORS policy can be fairly complex and an incorrect setting could permit Cross-Site Request Forgery (CSRF). The `caveat` is that if the app being deployed is a PUBLIC API, a wildcard `*` CORS policy is absolutely necessary.", "remediation": { "text": " ##### Remediate from Azure Portal 1. Go to App Service. 2. Click the name of an app. 3. Under API, click CORS. 4. Under Allowed Origins, delete the entry that equals *. 5. Specify the origins that should be allowed to make cross-origin calls. 6. Click Save. 7. Repeat steps 1-6 for each app requiring remediation. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-rest-api", "https://learn.microsoft.com/en-us/cli/azure/webapp/cors", "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html", "https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS", "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html" ], "compliance": [ { "name": "_ARG_1_", "version": "_ARG_2_", "reference": "_ARG_3_", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_app_services", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "ne", "config.properties.cors" ], [ "config.properties.cors.allowedOrigins", "match", "^[*]" ] ], "operator":"and" } ] }, { "connectOperator": "and", "filter": [ { "include": "_ARG_4_" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "config.properties.cors.allowedOrigins":"Allow Origins" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "resourceGroupName", "config" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "config.properties.cors.allowedOrigins":"Allow Origins" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure cross-origin resource sharing does not allow all for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure__ARG_0__cors_allow_all_origins", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_app_service__ARG_5_" } |