fix(cors): restrict allowed origins via ALLOWED_ORIGINS env var
Wildcard CORS allowed any website to make authenticated cross-origin requests on behalf of a victim. Origins are now read from the ALLOWED_ORIGINS env var (comma-separated). No origins configured means all cross-origin requests are rejected.
This commit is contained in:
+7
-1
@@ -9,7 +9,13 @@ const config = require('./config'),
|
||||
|
||||
function createApp() {
|
||||
const app = express();
|
||||
app.use(cors());
|
||||
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
||||
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
||||
: [];
|
||||
app.use(cors({
|
||||
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
|
||||
credentials: true
|
||||
}));
|
||||
app.use(express.json());
|
||||
app.use(express.urlencoded({ extended: true }));
|
||||
app.use(require('method-override')());
|
||||
|
||||
Reference in New Issue
Block a user