Hi All,

I would like to reach out how do the cors HTTP headers should be configure. We are currently in process of security review and our InfoSec provided us that we need to update and implement HTML5 Security Standards.

Here is our current Header

Here is the recommendation that we need to implement as per our config above.

Note:

• Validate URLs passed to XMLHttpRequest.open. Current browsers allow these URLs to be cross-domain and this behavior can lead to code injection by a remote attacker. Pay extra attention to absolute URLs.
• URLs responding with Access-Control-Allow-Origin: * must not include any sensitive content or information that might aid attacker in further attacks. Use Access-Control-Allow-Origin header only on chosen URLs that need to be accessed cross-domain. Do not use the header for the whole domain.
• When using Access-Control-Allow-Credentials: true response header, whitelist the allowed Origins and never echo back the Origin request header in Access-Control-Arrow-Origin. 
• Allow only selected, trusted domains in Access-Control-Allow-Origin header. Whitelisting domains are preferable over blacklisting or allowing any domain. Do not use * wildcard nor blindly return the Origin header content without any checks.

If possible can anyone help me how to implement the above things like. sample line as I'm new in such configurations.

Thank you in advance.