I am trying sonar cloud.
I analysed this project here : https://sonarcloud.io/dashboard?id=dominique-bureau_classified_ads
It is a PHP project (using Laravel framework). As you can see , there is one "security hotspot". About the "config/cors.php" file.
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
As I am not expert at all, I wonder if I can ignore this alert. Or on the contrary especially not!
Honestly I'm not familiar with SonarCloud, but as I saw from here, there is a wildcard under
This means that system remind you about fixing/changing that later (before production deployment). Actually this is not a security issue (there is the explanation about that, under the code snippet, with 3 tabs: "What's the risk?", "Are you at risk?", "How can you fix it?").
If your code is public, and you don't want to publish your actual domain/host in your code, then you can leave this as it now, or set that for your localhost. These ways probably will hide the security alert
But also for production you can restrict that some way, like
Or you can just have both in that array:
"allowed_origins" dictates the "origins", that are allowed to access the resources (origin here refers to the combination of scheme, domain, and port of the URL). It also allows for wildcard matching (e.g. *example.com will allow example.com and any of its subdomains to access the resource). It is set to allow all origins by default. In other words, this option specifies what source requests should be allowed from. When not using a wildcard, the origin must be specified in full (e.g http://example.com is valid, example.com is not).
For more read these: Restricting Allowed Hosts, Stackoverflow answer