| Source | Azure Portal | ||||||||||||||
| Display name | [Deprecated]: CORS should not allow every resource to access your API App | ||||||||||||||
| Id | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | ||||||||||||||
| Version | 1.0.0-deprecated Details on versioning |
||||||||||||||
| Versioning |
Versions supported for Versioning: 1 1.0.0 (1.0.0-deprecated) Built-in Versioning [Preview] |
||||||||||||||
| Category | App Service Microsoft Learn |
||||||||||||||
| Description | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. | ||||||||||||||
| Cloud environments | AzureCloud = true AzureUSGovernment = unknown AzureChinaCloud = unknown |
||||||||||||||
| Available in AzUSGov | Unknown, no evidence if Policy definition is/not available in AzureUSGovernment | ||||||||||||||
| Assessment(s) |
Assessments count: 1 Assessment Id: e40df93c-7a7c-1b0a-c787-9987ceb98e54 DisplayName: CORS should not allow every resource to access API Apps Description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. Remediation description: To allow only required domains to interact with your web app, we recommend the following steps: 1. Go to the app service CORS page 2. Remove the "*" defined and instead specify explicit origins that should be allowed to make cross-origin calls 3. Click Save Categories: AppServices Severity: Low User impact: Low Implementation effort: Low Threats: MaliciousInsider, AccountBreach |
||||||||||||||
| Mode | Indexed | ||||||||||||||
| Type | BuiltIn | ||||||||||||||
| Preview | False | ||||||||||||||
| Deprecated | True | ||||||||||||||
| Effect | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
||||||||||||||
| RBAC role(s) | none | ||||||||||||||
| Rule aliases | THEN-ExistenceCondition (1)
|
||||||||||||||
| Rule resource types | IF (1) |
||||||||||||||
| Compliance | Not a Compliance control | ||||||||||||||
| Initiatives usage | none | ||||||||||||||
| History |
|
||||||||||||||
| JSON compare |
compare mode:
version left:
version right:
|
||||||||||||||
| JSON |
|