fix(cors): restrict allowed origins via ALLOWED_ORIGINS env var

Wildcard CORS allowed any website to make authenticated cross-origin
requests on behalf of a victim. Origins are now read from the
ALLOWED_ORIGINS env var (comma-separated). No origins configured
means all cross-origin requests are rejected.
This commit is contained in:
2026-04-26 20:41:36 +02:00
parent 946436fdaf
commit 98847b31e7
+7 -1
View File
@@ -9,7 +9,13 @@ const config = require('./config'),
function createApp() {
const app = express();
app.use(cors());
const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
: [];
app.use(cors({
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
credentials: true
}));
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(require('method-override')());