Skip to content

[backend][security] CORS allowlist is commented out #519

Description

@Xhristin3

Severity

High

Files

app/backend/src/main.ts (app.enableCors block)

Description

No CORS is configured. In dev the frontend at http://localhost:3000 is allowlisted by browser policy but in production this becomes vacuous. Currently any origin can connect.

Acceptance Criteria

  • Configure CORS via env ALLOWED_ORIGINS (comma-separated)
  • credentials: true only when origin allowlisted
  • methods limited to GET/POST/PUT/PATCH/DELETE/OPTIONS
  • Add a contract test that asserts disallowed preflight returns no Access-Control-Allow-Origin

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions