Control: CORS should not allow every resource to access your Web Applications
Description
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.appservice_web_app_cors_no_starSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.appservice_web_app_cors_no_star --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'site_config') is null then 'alarm' when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '["*"]' then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined' when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '["*"]' then ' CORS allow all domains to access the application' else ' CORS does not all domains to access the application' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_app_service';