We have a vulnerability reported in our application. Access-Control-Allow-Origin
is reflecting the same origin value that is calling the resource.
It is happening because Access-Control-Allow-Origin
value is coming as null
by default.
I tried to set the Access-Control-Allow-Origin
custom header value in web.config
as follows -
First, I added <clear/> tag
to clear all custom headers to avoid any confusion and then added the Access-Control-Allow-Origin header value.
But when I call it from a dummy js file that I have created to test the changes, it shows below error in console -
Access-Control-Allow-Origin header contains multiple values 'null, https://abcd.com' but only one is allowed.
Kindly let me know how to resolve this issue?