Issues » Permissive CORS Policy

Issue: SI-50
Date: Jan 24, 2019, 4:15:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: TBD
Credit: Johannes Moritz - RIPS TECHNOLOGIES GMBH

dotCMS currently returns a “Access-Control-Allow-Origin” header with a value of "*".  This means that the default  is to share any public content on this server.  While this is a browser enforced security measure, it can be desirable to prevent other sites from linking to content on your site as if it is their own content.

Status can be tracked here:


Custom static plugin to override code that sets header value.