{ "ruleId": "S005", "name": "No Origin Header Authentication", "description": "Prevent using Origin header for authentication or authorization decisions", "category": "security", "severity": "error", "languages": ["typescript", "javascript"], "tags": ["security", "owasp", "authentication", "authorization", "spoofing", "headers"], "enabled": true, "fixable": false, "engine": "heuristic", "metadata": { "owaspCategory": "A07:2021 - Identification and Authentication Failures", "cweId": "CWE-290", "description": "Origin header can be easily spoofed by attackers and should not be used for authentication or authorization decisions. Use verified tokens, sessions, or cryptographic signatures instead.", "impact": "High - Authentication bypass, unauthorized access", "likelihood": "Medium", "remediation": "Use secure authentication methods: JWT tokens, session cookies, API keys with cryptographic signatures. Origin header should only be used for CORS/CSRF protection, not for access control." }, "patterns": { "vulnerable": [ "if (req.headers.origin === 'trusted.com') { authenticate() }", "const isAuthorized = allowedOrigins.includes(origin)", "if (origin.includes('admin')) { grantAccess() }", "switch(origin) { case 'internal': allow() }" ], "secure": [ "Use for CORS: res.setHeader('Access-Control-Allow-Origin', origin)", "Use for CSRF: if (allowedOrigins.includes(origin)) { /* CSRF check */ }", "Use verified tokens: const user = await verifyJWT(req.headers.authorization)", "Use sessions: const user = await getSessionUser(req.session.id)" ] }, "examples": { "violations": [ "if (req.headers.origin === 'admin.example.com') { req.user = adminUser; }", "const hasAccess = trustedOrigins.includes(req.get('origin'))", "if (origin.endsWith('.internal.com')) { bypassAuth() }" ], "fixes": [ "const user = await verifyToken(req.headers.authorization)", "const session = await validateSession(req.cookies.sessionId)", "const apiKey = await verifyApiKey(req.headers['x-api-key'])" ] } }