Severity
High
Files
app/backend/src/main.ts (app.enableCors block)
Description
No CORS is configured. In dev the frontend at http://localhost:3000 is allowlisted by browser policy but in production this becomes vacuous. Currently any origin can connect.
Acceptance Criteria
- Configure CORS via env ALLOWED_ORIGINS (comma-separated)
- credentials: true only when origin allowlisted
- methods limited to GET/POST/PUT/PATCH/DELETE/OPTIONS
- Add a contract test that asserts disallowed preflight returns no Access-Control-Allow-Origin
Severity
High
Files
app/backend/src/main.ts (app.enableCors block)
Description
No CORS is configured. In dev the frontend at http://localhost:3000 is allowlisted by browser policy but in production this becomes vacuous. Currently any origin can connect.
Acceptance Criteria