izaaz
commented
2 weeks ago @nidhi88 - Amplitude APIs are expected to be called from multiple domains to send data into Amplitude. Which is why the access control header is set to *. The API is used to push data to Amplitude and does not return any data back.
Summary
Hello,
During our security scan, we encountered the domain https://api2.amplitude.com/ using the access-control-allow-origin header and it is set to '*', which will allow requests from any domain to access resources being shared. This can lead to exploits where a malicious actor can request from their domain and receive a response that can contain sensitive information.
Can we have the access-control-allow-origin header with a specific whitelist of allowed domains, instead of allowing any domain?