A scan has been performed on our Cloud environment and the following has been identified:
CORS It has been identified that the web server has a weak cross-origin resource sharing (CORS) policy configured, since it does not correctly validate the “Origin” header and returns the header “Access-Control-Allow-Credentials: true”. With this configuration, any web site can make requests with user credentials and read the responses to these requests. Relying on arbitrary origins disables the same-origin policy (SOP), allowing bidirectional interaction of the affected website with third-party websites.
CSP It has been identified that the asset does not have the Content Security Policy (CSP) header. This header makes it possible to reduce or eliminate the chances of XSS occurrence by specifying domains that the browser will consider as valid sources of executable scripts. A CSP-compliant browser will only be able to execute scripts from the source files specified in this whitelist of domains, completely ignoring any other scripts.
