🛡️ Sentinel: [HIGH] Fix missing Vary header in CORS responses

[EffortlessSteven]

🚨 Severity: HIGH
💡 Vulnerability: Missing Vary: Origin header in dynamic CORS responses.
🎯 Impact: Intermediate caches (like CDNs or proxies) might cache a CORS response intended for one origin and serve it to a different origin, leading to a cache poisoning vulnerability or broken CORS.
🔧 Fix: Appended Vary: Origin to the response headers in both regular and preflight CORS handlers whenever Access-Control-Allow-Origin is dynamically set in crates/app-http/src/middleware/cors.rs and crates/http-middleware/src/cors.rs.
✅ Verification: Ran cargo check and cargo test -p app-http -p http-middleware successfully.

---

PR created automatically by Jules for task 11424256540909223913 started by @EffortlessSteven

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 2 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 21 minutes and 2 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0546d284-d842-4607-a79d-82bb5eecf30d

📥 Commits

Reviewing files that changed from the base of the PR and between 90fd4d1 and 3136d0d.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .cargo/audit.toml
• crates/app-http/src/middleware/cors.rs
• crates/http-middleware/src/cors.rs
• deny.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-cors-vary-origin-11424256540909223913

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces the Vary: origin header to the CORS middleware in the app-http and http-middleware crates. The review feedback suggests using the canonical casing "Origin" and recommends extending the logic to include the header in all responses, including rejections, to ensure proper caching behavior and prevent cache poisoning.

[gemini-code-assist]

The Vary: Origin header should be added to all responses where the Origin header is inspected, including those where the origin is rejected. If a 'denied' response is cached without this header, it may be served to subsequent requests from allowed origins, causing CORS failures. Since the middleware dynamically determines the Access-Control-Allow-Origin header, Vary: Origin is essential for all cacheable responses. Consider moving this logic outside the conditional block to ensure it's always applied when the middleware is active. Also, using the canonical casing "Origin" is recommended. Finally, ensure that integration tests are updated to verify the presence of this header.

Suggested change

	response.headers_mut().append(header::VARY, HeaderValue::from_static("origin"));
	response.headers_mut().append(header::VARY, HeaderValue::from_static("Origin"));

[gemini-code-assist]

The Vary: Origin header should be added to all responses (including rejections) to prevent cache poisoning where a CORS-less response is served to an allowed origin. Also, using the canonical "Origin" casing is recommended.

Suggested change

	response.headers_mut().append(header::VARY, HeaderValue::from_static("origin"));
	response.headers_mut().append(header::VARY, HeaderValue::from_static("Origin"));

[gemini-code-assist]

Use the canonical casing "Origin" for the Vary header value.

Suggested change

	response.headers_mut().append(header::VARY, HeaderValue::from_static("origin"));
	response.headers_mut().append(header::VARY, HeaderValue::from_static("Origin"));

[gemini-code-assist]

Use the canonical casing "Origin" for the Vary header value.

Suggested change

	response.headers_mut().append(header::VARY, HeaderValue::from_static("origin"));
	response.headers_mut().append(header::VARY, HeaderValue::from_static("Origin"));

[github-actions]

Test Results

283 tests   245 ✅  10m 55s ⏱️
 25 suites   38 💤
  1 files      0 ❌

Results for commit 3136d0d.

♻️ This comment has been updated with latest results.

[github-actions]

Hint: prefix PR titles with AC-###, US-###, or FT-### for traceability. Add label skip-title-check to suppress.

[github-actions]

Scope Guard Summary

Metric	Value
Files changed	35
Scope declared	false
Declared type	any
Waived	false

Change distribution:

• Runtime (crates/*.rs): 2
• Documentation: 0
• Specs: 0
• Policy: 0
• CI workflows: 30

⚠️ Danger zone files touched:

.github/workflows/ci-ac.yml
.github/workflows/ci-agents.yml
.github/workflows/ci-coverage.yml
.github/workflows/ci-db.yml
.github/workflows/ci-docs.yml
.github/workflows/ci-events.yml
.github/workflows/ci-example-fork.yml
.github/workflows/ci-features.yml
.github/workflows/ci-flags-warn.yml
.github/workflows/ci-flags.yml
.github/workflows/ci-gherkin.yml
.github/workflows/ci-governance.yml
.github/workflows/ci-lints.yml
.github/workflows/ci-msrv.yml
.github/workflows/ci-nix.yml
.github/workflows/ci-openapi.yml
.github/workflows/ci-policy-verify.yml
.github/workflows/ci-privacy.yml
.github/workflows/ci-proto.yml
.github/workflows/ci-scope-guard.yml
.github/workflows/ci-security.yml
.github/workflows/ci-skills.yml
.github/workflows/ci-supply-chain.yml
.github/workflows/ci-template-selftest.yml
.github/workflows/maintenance-pin-actions.yml
.github/workflows/policy-test.yml
.github/workflows/release-sbom-sign.yml
.github/workflows/selftest.yml
.github/workflows/tier1-selftest.yml
.github/workflows/tool-versions.yml

Policy evaluation:

�[33mWARN�[0m - /tmp/scope_input.json - main - PR body missing ## Scope block. Consider adding for reviewer clarity.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-ac.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-agents.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-coverage.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-db.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-docs.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-events.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-example-fork.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-features.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-flags-warn.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-flags.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-gherkin.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-governance.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-lints.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-msrv.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-nix.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-openapi.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-policy-verify.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-privacy.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-proto.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-scope-guard.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-security.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-skills.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-supply-chain.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/ci-template-selftest.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/maintenance-pin-actions.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/policy-test.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/release-sbom-sign.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/selftest.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/tier1-selftest.yml' modified without ## Scope declaration. Add scope block to PR body.
�[31mFAIL�[0m - /tmp/scope_input.json - main - Danger zone file '.github/workflows/tool-versions.yml' modified without ## Scope declaration. Add scope block to PR body.

�[31m31 tests, 0 passed, 1 warning, 30 failures, 0 exceptions�[0m

---

💡 Add a ## Scope block to your PR description to silence this advisory.