Invicti detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.
Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.
Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.
This is generally not appropriate when using the same-origin security policy. The only case where this is appropriate when using the same-origin policy is when a page or API response is considered completely public content and it is intended to be accessible to everyone.
If this page is intended to be accessible to everyone, you don't need to take any action. Otherwise please follow the guidelines for different architectures below in order to set this header and permit outside domain.Apache
httpd.conf
or apache.conf
), or within a .htaccess
file.Header set Access-Control-Allow-Origin "domain
"IIS6
domain
as the header valueIIS7
domain
" />ASP.NET
domain
");You can search and find all vulnerabilities