Skip to content

CORS: Enforce No-Wildcard in Production #631

Description

@SheyeJDev

Problem: In index.ts, if CORS_ORIGIN env var is not set, corsOrigins defaults to ["http://localhost:3000"]. This is fine for local dev, but the code does not explicitly reject * (wildcard) if a developer mistakenly sets CORS_ORIGIN=* in production. The .env.example contains a comment warning about this but there is no runtime enforcement.

Scope: Add a runtime validation that rejects wildcard CORS in production.

Implementation guidance:
In config/env.ts, add a validation: if NODE_ENV === "production" and CORS_ORIGIN includes *, throw a startup error with a clear message.
Add a unit test in env.test.ts for this case.
Log the resolved CORS origins on startup (with INFO level) so operators can confirm.

Acceptance criteria: Server refuses to start in production with CORS_ORIGIN=*; the error message clearly explains the issue; development mode allows *.

Validation: env.test.ts test case passes.

Files to modify: backend/src/config/env.ts, backend/src/config/env.test.ts

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programbackendExpress API (Node/TS) workenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions