Skip to content

🚨 Zap scan fix - CORS Misconfiguration #851

New issue
New issue
Open
Open
🚨 Zap scan fix - CORS Misconfiguration#851
Milestone
 
Public 4: Improvements
@marcellmueller

Description

@marcellmueller
marcellmueller
opened on May 26, 2025

Description:

https://www.zaproxy.org/docs/alerts/40040-2/
https://www.zaproxy.org/docs/alerts/10098/

Fix CORS Misconfiguration - this should allow requests from known domains ie sitesandtrailsbc.ca, beta.sitesandtrailsbc.ca, dev/test cloudfront url etc

This will also likely fix this alert:
https://www.zaproxy.org/docs/alerts/90004-3/

Acceptance Criteria:

  • CORS is properly configured for our frontend via terraform
  • CORS is properly configured for our backend either via terraform or in the backend itself (via the helmet config in app.ts)
  • CORS allowed origins includes our domain ie sitesandtrailsbc.ca, subdomain ie beta.sitesandtrailsbc.ca and our
  • Re-run zap scan and verify that this is fixed (see dev notes)

Dev notes:

The zap scan runs on a schedule in test environment since it's more stable. To check that this is fixed in dev, you can change the environment from test to dev in .github/workflows/scheduled.yml zap scan job. Then manually run from the actions tab for your pr.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    RST's Digital Delivery Team

    Status

    Current Sprint

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions