Checkmarx issue - Spring overly permissive cross origin resource sharing policy

Question

On every method of every controller in my application checkmarx complains that "The method getCertificate sets an overly permissive CORS access control origin header" . I can see in this controller class no @crossOrigin is used.

@GetMapping(produces = APPLICATION_JSON_VALUE)
    public ResponseEntity<CertificateDTO> getCertificate(HttpServletRequest request)  {
        return ResponseEntity.ok(certificatePropertiesService.getCertificateDetails());
    }

But i can see in Main class below is used. I am not able to establish the relation here. @CrossOrigin(origins = " * ", allowedHeaders = " * ", methods = {RequestMethod.GET, RequestMethod.OPTIONS, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})

What is happening here. How can we solve this issue? Where can i look in the code? Note this is existing code in the project

Answer 1

As part of the Same-Origin Policy, browsers by default does not allow sharing of resources between different domains from accessing one another's cookie or DOM objects to prevent users from falling victim to malicious websites. The CORS policy with the use of specific headers relaxes this restrictive behavior to enable cross-site communications.

Your @CrossOrigin is too relaxed with wildcards (*) defined allowing ALL domains, so you will have to define a whitelist of domains that are only allowed to access the resources in your web app. For example:

@CrossOrigin(origins = "https://yourdomain.com", allowedHeaders = "Accept,Accept-Language,Content-Language,Content-Type", methods = {RequestMethod.GET, RequestMethod.OPTIONS, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})