Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.web

Avoid wildcard CORS allow-origins

Spring `@CrossOrigin("*")`, `allowedOrigins("*")`, and `addAllowedOriginPattern("*")` open the API to any origin.

#Metadata

Rule ID
java.security.permissive-cors
Severity
high
Confidence
0.9
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
cors, java, rules-catalog, security, spring

#Why it matters

Wildcard origins disable browser-enforced same-origin protection and can allow untrusted sites to call the API with credentials.

#Remediation

Allow only the specific origins your service trusts; never combine `allowCredentials(true)` with a wildcard origin.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.permissive-cors.rule.yaml.

Back to directoryOpen rule in repository