@CrossOrigin allows any origin
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
@CrossOrigin is configured with a wildcard origin ("*"), so any website can make cross-origin requests to this endpoint and read the response.
Why it matters
@CrossOrigin with a wildcard origin lets any website make cross-origin requests to this endpoint and read the response in the browser. For an endpoint that returns anything not meant to be fully public, that is an open door for any page the user happens to visit.
How to fix it
Replace the wildcard with an explicit list of the origins that actually need access (your own frontend's domain(s)), either on the annotation or in a centralized CorsConfigurationSource bean shared across the app.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo