last sync: 2020-Sep-18 14:08:07 UTC

Azure Policy

CORS should not allow every resource to access your API App

Policy DisplayName CORS should not allow every resource to access your API App
Policy Id 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac
Policy Category App Service
Policy Description Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes no changes
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
Enable Monitoring in Azure Security Center 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
[Preview]: Azure Security Benchmark 42a694ed-f65e-42b2-aa9e-8052e9740a92
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab
Policy Rule
{
  "properties": {
    "displayName": "CORS should not allow every resource to access your API App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "like": "*api"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
          "field": "Microsoft.Web/sites/config/web.cors.allowedOrigins[*]",
            "notEquals": "*"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "358c20a6-3f9e-4f0e-97ff-c6ce485e2aac"
}