Confusion on the 'Access-Control-Allow-Origin' header with apache

Question

Lets say I have my website named SiteA.com running on an Apache web server. I have defined the ff. below on my httpd.conf file:

Header set Access-Control-Allow-Origin "CustomBank.com"

Questions:

Does this mean only CustomBank.com can access my site (SiteA.com) directly? or does it mean only my site (SiteA.com) can access the CustomBank.com domain directly? I am confused if this setting is for inbound or outbound.
In reality I don't have any CORS requirement needed for my site, so I didn't implement the setting mentioned above, the one below shows up in my response header.

Access-Control-Allow-Origin: *

Penetration Testing team said this setting is overly permissive. Do I just need to remove it? if not what should I do?

score 0 · Answer 1 · answered Nov 27 '20 at 13:02

It means javascript loaded from CustomBank.com can make requests to your site (the site whose configuration has changed) via XMLHTPRequest in the background.

Since XMLHTTPRequest will send a users existing session cookie with your site, malicious scripts could do all kinds of nefarious/misleading things on behalf of your user. That's why * is not normally a suitable fix.

The restrictions apply to other script-like invocations that are more esoteric that you can read about in the specs.

So in short, this setting is only from inbound connections? other domains accessing your domain. — lecarpetron dookmarion, Nov 28 '20 at 22:51

Confusion on the 'Access-Control-Allow-Origin' header with apache

1 Answers1