AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

[Deprecated]: CORS should not allow every resource to access your API App

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Deprecated]: CORS should not allow every resource to access your API App

358c20a6-3f9e-4f0e-97ff-c6ce485e2aac

Version

1.0.0-deprecated
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0 (1.0.0-deprecated)
Built-in Versioning [Preview]

Category

App Service
Microsoft Learn

Description

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps.

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

True

Effect

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

RBAC role(s)

none

Rule aliases

THEN-ExistenceCondition (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Web/sites/config/web.cors.allowedOrigins[*]	Microsoft.Web	sites/config	properties.cors.allowedOrigins[*]	True		False

Rule resource types

IF (1)
Microsoft.Web/sites

Compliance

Not a Compliance control

Initiatives usage

none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-07-01 16:32:34	change	Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC