Topics started by AnalystHOK
Our security team identified that the web server accepts arbitrary origin request header. The application implements cross-origin resource sharing (CORS) policy for this request that allows access from any domain. We tried request with different origins (www.fakedomain.com) and it is accepted by server and valid response is sent back. (poc attached: “cors origin”)Although, in our caseEmbedded Domain Allow list is empty, which we are assuming that it permits request only from our looker domain Same-Origin Protections for Looker Login Pages was enabled still the security team was able to successfully request access from a different domain please help us understand is there any additional steps to be followed to ensure that,request with different origins (www.fakedomain.com) , is not accepted by the server.
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.