Internal security scans flag a vulnerability regarding "Permissive Cross-domain Policy" on Authentication Hub version 3.4.* and 4.0.0. Requests to static resources, such as https://[authhub_fqdn]/default/ui/v1/adminconsole, return the HTTP header Access-Control-Allow-Origin: * along with the HTML content.

• IDSP/Authentication Hub 3.4.*
• IDSP/Authentication Hub 4.0.0

The current Cross-Origin Resource Sharing (CORS) policy for static resources is set to a wildcard (*) to ensure industry-standard compatibility for public static assets. These resources consist of static HTML, CSS, and JavaScript files that do not contain sensitive data or user-specific information.

The scan finding is a false positive. The permissive policy applies only to public static assets. All sensitive operations and data access are conducted via the Admin API, which is protected and enforces strict CORS restrictions and authentication Permissive CORS Policy.

Exclude the static asset paths (/ui/v1/*) from security scanner violation rules to resolve the finding Permissive CORS Policy.

Note: Further improvements to restrict the default CORS configuration for these static assets are being addressed as part of a future product enhancement.