Null Origin Allowed In Cross-Origin Requests
Description
The server was found to have returned "null" in the "Access-Control-Allow-Origin" header. Explicitly allowing "null" origins is discouraged as malicious actors can craft documents that send requests with "null" origins. For more information, consult the W3C recommendation on this topic: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
Remediation
Configure your server or application to avoid returning 'Access-Control-Allow-Origin: null'. Instead, specify a valid domain or use restrictive wildcard settings only if absolutely necessary and safe for your use case. If you rely on dynamic origin handling, ensure that only trusted domains are allowed and that your server validates all origins before including them in the 'Access-Control-Allow-Origin' response header. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor for attempts to abuse permissive CORS configurations. Regularly review and update your CORS policy to minimize the risk of unauthorized cross-origin requests.
References
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-nullhttps://developer.mozilla.org/en-US/docs/Web/HTTP/CORSSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration