Detections
Analytics

Ensure CORS is tightly controlled and managed for Azure Function App

MEDIUM

Description

CORS is a feature for HTTP communication that manages how a web page calls an API under a different domain. This feature is important to configure properly since web browsers now have restrictions for same-origin policies. For more information, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/cli/azure/functionapp/cors?view=azure-cli-latest
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Function App.
  2. Choose the Function App you wish to edit.
  3. Under API, select CORS.
  4. Configure as needed.

In Terraform -
For Azure Provider versions prior to v4.x (deprecated in favor of azurerm_linux_function_app and azurerm_windows_function_app resources):

  1. In the azurerm_function_app resource, create a cors block.
  2. Configure the allowed_origins as needed.

References:
https://learn.microsoft.com/en-us/azure/azure-functions/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#cors

Policy Details

Rule Reference ID: AC_AZURE_0179
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_function_app
Resource Category: Serverless
Resource Type: Function App

Frameworks