From 98847b31e7bff8451e9c02ec473aed9440f28123 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:41:36 +0200 Subject: [PATCH] fix(cors): restrict allowed origins via ALLOWED_ORIGINS env var Wildcard CORS allowed any website to make authenticated cross-origin requests on behalf of a victim. Origins are now read from the ALLOWED_ORIGINS env var (comma-separated). No origins configured means all cross-origin requests are rejected. --- src/createApp.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/createApp.js b/src/createApp.js index f507751..68ad950 100644 --- a/src/createApp.js +++ b/src/createApp.js @@ -9,7 +9,13 @@ const config = require('./config'), function createApp() { const app = express(); - app.use(cors()); + const allowedOrigins = process.env.ALLOWED_ORIGINS + ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim()) + : []; + app.use(cors({ + origin: allowedOrigins.length > 0 ? allowedOrigins : false, + credentials: true + })); app.use(express.json()); app.use(express.urlencoded({ extended: true })); app.use(require('method-override')());