Need some help regarding the CORS issue.
We recently performed a security scan on our Liferay application and a few vulnerabilities/issues were identified. I implemented a fix for the CORS issue and it was working fine for a week, however, it has now started failing again.
Issue : CORS Misconfiguration
The target application was supporting Origin: null for CORS requests, which makes it vulnerable to potential CORS attacks.
Fix Implemented
I updated the /images/* and /o/oauth2/token/* configurations with the complete domain URL.
Updated Configuration:
https://{DOMAIN_URL}/images/*
https://{DOMAIN_URL}/o/oauth2/token/*
After applying this configuration, the Origin: null value was no longer present in the response headers when passed in the request header.
Configuration Path
Control Panel → System Settings → Security Tools
Under Virtual Instance Scope → Portal Cross-Origin Resource Sharing (CORS)
However, after a week, we retested the same scenario and observed that the response header again contains Origin: null.
Could you please suggest the best permanent solution for this CORS issue, as we need to remediate it completely?
Thanks.