Control: App Service Web App CORS policies should prohibit public access

Description

Azure App Service Web App Cross-Origin Resource Sharing (CORS) policies should not allow unrestricted access from any origin that could enable public access.

Usage

Run the control in your terminal:

powerpipe control run azure_perimeter.control.appservice_web_app_cors_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_perimeter.control.appservice_web_app_cors_prohibit_public_access --share

Steampipe Tables

azure_app_service_web_app

azure_subscription

SQL

select
  a.id as resource,
  case
    when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm'
    else 'ok'
  end as status,
  case
    when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]'
      then a.name || ' CORS policy allows all domains to access the application.'
    else a.name || ' CORS does not allow all domains to access the application.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_app_service_web_app as a,
  azure_subscription as sub
where
  sub.subscription_id = a.subscription_id;

Control: App Service Web App CORS policies should prohibit public access

Description

Usage

Steampipe Tables

SQL

Tags