Access-Control-Allow-Origin security issue

I wanted to test my WordPress website for security issues. I use ZeroTrust to block access to /wp-admin and the login URL
GET /wp-admin/ HTTP/2
Host: my-cool-domain.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Cache-Control: max-age=0
Origin: https://thefourcraft.com
GET /wp-admin/ HTTP/2
Host: my-cool-domain.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Cache-Control: max-age=0
Origin: https://thefourcraft.com
I get this response
HTTP/2 302 Found
Date: Sun, 03 Mar 2024 07:58:36 GMT
Location: https://team.cloudflareaccess.com/cdn-cgi/access/login/my-cool-domain.com?kid=4bff6428ede91c76df49978fb7b21797d30541c17b8c60c147ea0b3381a33706&redirect_url=%2Fwp-admin%2F&meta=eyJraWQiOiIyYjZhODFmZmVjMzIxNzlkODI0NWVkMWIyMGEwZmRiOGQ5NWVmYTkxYTJiYzgzYzYzYjExMWM0YzkwZjA2NzBlIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTcwOTQ1MjcxNiwic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjRiZmY2NDI4ZWRlOTFjNzZkZjQ5OTc4ZmI3YjIxNzk3ZDMwNTQxYzE3YjhjNjBjMTQ3ZWEwYjMzODFhMzM3MDYiLCJob3N0bmFtZSI6InRlZ3JpYWkuY29tIiwiYXBwX3Nlc3Npb25faGFzaCI6ImY2OTM0NDM5MzBkMDk2NGUwY2U1ZWFkYTEzMWFkYWFmNDZlOWE3ZTMyMzUyYzg5MGEyNThkNWI0ODVjY2UxMzYiLCJuYmYiOjE3MDk0NTI3MTYsImlzX3dhcnAiOmZhbHNlLCJpc19nYXRld2F5IjpmYWxzZSwidHlwZSI6Im1ldGEiLCJyZWRpcmVjdF91cmwiOiJcL3dwLWFkbWluXC8iLCJtdGxzX2F1dGgiOnsiY2VydF9pc3N1ZXJfc2tpIjoiIiwiY2VydF9wcmVzZW50ZWQiOmZhbHNlLCJjZXJ0X3NlcmlhbCI6IiIsImNlcnRfaXNzdWVyX2RuIjoiIiwiYXV0aF9zdGF0dXMiOiJOT05FIn0sImF1dGhfc3RhdHVzIjoiTk9ORSJ9.fwG5z8PGtEzu5vefY9m5RM0v8Y2A7Gf84CLSlsQkFGGDh6CsPm7CNlzQG3FH1xxZRQLMOR4hDtoNKDo6AUNe_Rol7ESwnaU0nmn-nx1ehNmeKkUi9dNy1Eop_0mpKdKAlllWYQkH3TCZoWfiZ4sLRARQQxIWylhmJh0Mb2Nf8bG9umatth7kLCz4cQM5Cfg0WiGBNxW0ALLOUXwZcJ5sjKQa9u8pXRbnJSslzrseg3z9-jd41JT_dsoQaSHsjogjUDEJK50VLJotZouxMRdiB83RjKhdvEwZXbDfT65YAUKcvpeyUxZpYa9HSrJuIq1hcpMrm5s35ewGfpZSt_eTFQ
Set-Cookie: CF_AppSession=n4f9957c5a2b4fd05; Expires=Mon, 04 Mar 2024 07:58:36 GMT; Path=/; Secure; HttpOnly
Access-Control-Allow-Origin: https://thefourcraft.com
Access-Control-Allow-Credentials: true
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5Lg4%2FMTvK%2F0H4dwuBWGQ8fYcTAIV9t0jDz04E0dcJ7MnDXFM3xeteTXv%2BnnrhDe%2BVeelvw2VKndsh3tTfITpg2%2B08S2vEy5IbgdDz8yDdFnBknYVxLoSaTNRMKuDHw%3D%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
Cf-Ray: 85e81518290094dd-HFA
Alt-Svc: h3=":443"; ma=86400
HTTP/2 302 Found
Date: Sun, 03 Mar 2024 07:58:36 GMT
Location: https://team.cloudflareaccess.com/cdn-cgi/access/login/my-cool-domain.com?kid=4bff6428ede91c76df49978fb7b21797d30541c17b8c60c147ea0b3381a33706&redirect_url=%2Fwp-admin%2F&meta=eyJraWQiOiIyYjZhODFmZmVjMzIxNzlkODI0NWVkMWIyMGEwZmRiOGQ5NWVmYTkxYTJiYzgzYzYzYjExMWM0YzkwZjA2NzBlIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTcwOTQ1MjcxNiwic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjRiZmY2NDI4ZWRlOTFjNzZkZjQ5OTc4ZmI3YjIxNzk3ZDMwNTQxYzE3YjhjNjBjMTQ3ZWEwYjMzODFhMzM3MDYiLCJob3N0bmFtZSI6InRlZ3JpYWkuY29tIiwiYXBwX3Nlc3Npb25faGFzaCI6ImY2OTM0NDM5MzBkMDk2NGUwY2U1ZWFkYTEzMWFkYWFmNDZlOWE3ZTMyMzUyYzg5MGEyNThkNWI0ODVjY2UxMzYiLCJuYmYiOjE3MDk0NTI3MTYsImlzX3dhcnAiOmZhbHNlLCJpc19nYXRld2F5IjpmYWxzZSwidHlwZSI6Im1ldGEiLCJyZWRpcmVjdF91cmwiOiJcL3dwLWFkbWluXC8iLCJtdGxzX2F1dGgiOnsiY2VydF9pc3N1ZXJfc2tpIjoiIiwiY2VydF9wcmVzZW50ZWQiOmZhbHNlLCJjZXJ0X3NlcmlhbCI6IiIsImNlcnRfaXNzdWVyX2RuIjoiIiwiYXV0aF9zdGF0dXMiOiJOT05FIn0sImF1dGhfc3RhdHVzIjoiTk9ORSJ9.fwG5z8PGtEzu5vefY9m5RM0v8Y2A7Gf84CLSlsQkFGGDh6CsPm7CNlzQG3FH1xxZRQLMOR4hDtoNKDo6AUNe_Rol7ESwnaU0nmn-nx1ehNmeKkUi9dNy1Eop_0mpKdKAlllWYQkH3TCZoWfiZ4sLRARQQxIWylhmJh0Mb2Nf8bG9umatth7kLCz4cQM5Cfg0WiGBNxW0ALLOUXwZcJ5sjKQa9u8pXRbnJSslzrseg3z9-jd41JT_dsoQaSHsjogjUDEJK50VLJotZouxMRdiB83RjKhdvEwZXbDfT65YAUKcvpeyUxZpYa9HSrJuIq1hcpMrm5s35ewGfpZSt_eTFQ
Set-Cookie: CF_AppSession=n4f9957c5a2b4fd05; Expires=Mon, 04 Mar 2024 07:58:36 GMT; Path=/; Secure; HttpOnly
Access-Control-Allow-Origin: https://thefourcraft.com
Access-Control-Allow-Credentials: true
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5Lg4%2FMTvK%2F0H4dwuBWGQ8fYcTAIV9t0jDz04E0dcJ7MnDXFM3xeteTXv%2BnnrhDe%2BVeelvw2VKndsh3tTfITpg2%2B08S2vEy5IbgdDz8yDdFnBknYVxLoSaTNRMKuDHw%3D%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
Cf-Ray: 85e81518290094dd-HFA
Alt-Svc: h3=":443"; ma=86400
As you can see, I was able to change the response to
Access-Control-Allow-Origin: https://thefourcraft.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://thefourcraft.com
Access-Control-Allow-Credentials: true
I think this might be a configuration issue with my Zero Trust, but I'm not sure.
1 Reply
Erisa
Erisa10mo ago
This is intentional and benign, the redirect having that header does not cause any harm However if you still want to customise this, you can add a specific origin here:
No description
Want results from more Discord servers?
Add your server