P0: Secure CORS default instead of '*' (#167)#184
Open
dkijania wants to merge 1 commit into
Open
Conversation
CORS defaulted to `origin: process.env.CORS_ORIGIN ?? '*'`, so out of the box the API allowed cross-origin browser access from anywhere. For a publicly reachable endpoint that wide-open default should be a deliberate choice, not the fallback. Resolve the Yoga `cors` option from CORS_ORIGIN with a secure default: - unset / empty → CORS disabled (same-origin only) - `*` → allow any origin (explicit opt-in) - comma-separated origins → allowlist Server-to-server clients and curl are unaffected — this only governs browsers calling from another origin. The parsing lives in a small, unit-tested module; a value that parses to no origins falls back to the secure default rather than an empty, surprising allowlist. Docs and env example updated, including a note that production should leave CORS_ORIGIN unset or use an allowlist. Closes #167. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Part of the production-readiness epic (#163). Closes #167.
CORS defaulted to
origin: process.env.CORS_ORIGIN ?? '*'— out of the box the API allowed cross-origin browser access from any origin. For a publicly reachable endpoint, wide-open CORS should be a deliberate choice, not the fallback.Behavior
CORS_ORIGINnow resolves to a secure default:CORS_ORIGIN*https://a.com,https://b.comServer-to-server clients and
curlare unaffected — CORS only governs browsers calling from another origin. A value that parses to no origins (e.g. just commas) falls back to the secure default rather than an empty, surprising allowlist.Note on behavior change
This changes the out-of-the-box default from "any origin" to "same-origin only". Deployments that rely on browser cross-origin access must now set
CORS_ORIGINexplicitly (*or an allowlist). This is documented ingetting-started.md; the Compose example keeps*for local-dev convenience with a comment flagging it.Changes
src/server/cors.ts—resolveCorsOptions(env)(isolated, unit-tested).server.tsusescors: resolveCorsOptions().Testing
npm run build— cleannpm run test:unit— all pass (6 new CORS cases)npm run lint— cleannpx prettier --debug-check .— exit 0🤖 Generated with Claude Code