fix(cors): restrict allowed origins via ALLOWED_ORIGINS env var
Wildcard CORS allowed any website to make authenticated cross-origin requests on behalf of a victim. Origins are now read from the ALLOWED_ORIGINS env var (comma-separated). No origins configured means all cross-origin requests are rejected.
This commit is contained in:
+7
-1
@@ -9,7 +9,13 @@ const config = require('./config'),
|
|||||||
|
|
||||||
function createApp() {
|
function createApp() {
|
||||||
const app = express();
|
const app = express();
|
||||||
app.use(cors());
|
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
||||||
|
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
||||||
|
: [];
|
||||||
|
app.use(cors({
|
||||||
|
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
|
||||||
|
credentials: true
|
||||||
|
}));
|
||||||
app.use(express.json());
|
app.use(express.json());
|
||||||
app.use(express.urlencoded({ extended: true }));
|
app.use(express.urlencoded({ extended: true }));
|
||||||
app.use(require('method-override')());
|
app.use(require('method-override')());
|
||||||
|
|||||||
Reference in New Issue
Block a user