Problem: In index.ts, if CORS_ORIGIN env var is not set, corsOrigins defaults to ["http://localhost:3000"]. This is fine for local dev, but the code does not explicitly reject * (wildcard) if a developer mistakenly sets CORS_ORIGIN=* in production. The .env.example contains a comment warning about this but there is no runtime enforcement.
Scope: Add a runtime validation that rejects wildcard CORS in production.
Implementation guidance:
In config/env.ts, add a validation: if NODE_ENV === "production" and CORS_ORIGIN includes *, throw a startup error with a clear message.
Add a unit test in env.test.ts for this case.
Log the resolved CORS origins on startup (with INFO level) so operators can confirm.
Acceptance criteria: Server refuses to start in production with CORS_ORIGIN=*; the error message clearly explains the issue; development mode allows *.
Validation: env.test.ts test case passes.
Files to modify: backend/src/config/env.ts, backend/src/config/env.test.ts
Problem: In index.ts, if CORS_ORIGIN env var is not set, corsOrigins defaults to ["http://localhost:3000"]. This is fine for local dev, but the code does not explicitly reject * (wildcard) if a developer mistakenly sets CORS_ORIGIN=* in production. The .env.example contains a comment warning about this but there is no runtime enforcement.
Scope: Add a runtime validation that rejects wildcard CORS in production.
Implementation guidance:
In config/env.ts, add a validation: if NODE_ENV === "production" and CORS_ORIGIN includes *, throw a startup error with a clear message.
Add a unit test in env.test.ts for this case.
Log the resolved CORS origins on startup (with INFO level) so operators can confirm.
Acceptance criteria: Server refuses to start in production with CORS_ORIGIN=*; the error message clearly explains the issue; development mode allows *.
Validation: env.test.ts test case passes.
Files to modify: backend/src/config/env.ts, backend/src/config/env.test.ts