Hello Gliders!
I made a glide app and took a vulnerability test on it.
In the report, there found an alert - Unlimited Cross Origin Resource sharing.
Below is what is written in the report.
-Description
A wildcard (*) is specified in the Access-Control-Allow-Origin header.
Therefore, any data on this application can be accessed by using JavaScript from any website.
This behavior indicates that impersonation may be caused if the trap set by the attacker and a user being forced to send a request and receive a response.
In addition, it is possible to view personal information while being spoofed.
If you are able to view your personal information, it may lead to personal information leakage.
-Recommended measures
If the application is not intended to be accessed from any website,
Specify the domain that is allowed in the value of the Access-Control-Allow-Origin header.
If you change the settings, it may affect the behavior of multiple web pages.
vinegar. Please test thoroughly before changing the server settings.
Here are my questions;
-
My App’s privacy setting is “public + no sign in” - anyone with the app link can access.
Is this a reason that this alert came up?
If not, what can be the reason and can I fix it by any settings? -
There is no personal information in my App. So we are more concerned about falsification than personal information leakage.
From this report, is falsification at the same risk as information leakage?
I do not have a lot of knowledge of this field and apologize for my mis understanding if any…
Thank you very much for your time to read until the end!!