Skip to content

feat(security): restrict CORS to an origin allowlist#244

Open
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/cors-06-origin-allowlist
Open

feat(security): restrict CORS to an origin allowlist#244
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/cors-06-origin-allowlist

Conversation

@changliuchang777

Copy link
Copy Markdown

Summary

  • Replace the bare cors() middleware with a CORS origin allowlist driven by CORS_ALLOWED_ORIGINS.
  • Default unset configuration to localhost-only development origins instead of reflecting arbitrary origins.
  • Keep requests without an Origin header flowing without CORS reflection and leave credentials disabled.
  • Add focused CORS parsing/preflight tests and document CORS_ALLOWED_ORIGINS in the README.

Fixes #6

Validation

  • git diff --check (passes; only Git for Windows LF/CRLF warnings shown)
  • npm test -- --runInBand src/__tests__/cors.test.ts (blocked by existing baseline import-time failure: src/index.ts redeclares WEBHOOK_MAX_EVENTS before this focused suite can run)
  • npm run build (blocked by existing baseline TypeScript errors: duplicate declarations in src/index.ts, stale PairMeta test fixture shape, missing/undefined quote variables)
  • npm run lint (blocked by existing baseline lint errors in existing files such as errorHandler.test.ts, securityHeaders.test.ts, and unused declarations in src/index.ts; this patch adds only one warning in the existing CORS paused POST assertion style)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Restrict CORS to a configurable allowlist instead of wildcard

1 participant