API CORS Header Configuration Potentially Allow Unintented Data Leakage

[nidhi88]

Summary

Hello,

During our security scan, we encountered the domain https://api2.amplitude.com/ using the access-control-allow-origin header and it is set to '*', which will allow requests from any domain to access resources being shared. This can lead to exploits where a malicious actor can request from their domain and receive a response that can contain sensitive information.

Can we have the access-control-allow-origin header with a specific whitelist of allowed domains, instead of allowing any domain?