Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi Expert
Security audit give me a vulnerability alert in QlikSense Server(using April 2020 Version of qliksense server)
CORS(Cross origin resource Sharing)
Situation:
I have https://server.domain.com/qmc -> QMC and https://server.domain.com/hub
The vulnerability error is:
CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side crossorigin
requests. This application is using CORS in an insecure way.
The web application fails to properly validate the Origin header (check Details section for
more information) and returns the header Access-Control-Allow-Credentials: true.
In this configuration any website can issue requests made with user credentials and read
the responses to these requests. Trusting arbitrary origins effectively disables the sameorigin
policy, allowing two-way interaction by third-party web sites.
Recommendations Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
Someone know how to mitigate it?
I try to add in virtual proxy the sentence ACCESS CONTROL ORIGIN, in the response headers QMC , but still continue
Access-Control-Allow-Origin:https://server.domain.com/qmc, http://localhost
BUT the error or vulnearibilty persist
Thanks a lot
Fernando
Hello! did you find the solution? We are having the same problem with a client and it would be of much help if you could give us an answer in case you have been able to solve it. Thank you