fix:Implement WebSocket origin checking in production#3273
fix:Implement WebSocket origin checking in production#3273salignatmoandal wants to merge 1 commit intosuperplanehq:mainfrom
Conversation
Signed-off-by: Mawen Salignat-Moandal <mwnslgt@gmail.com>
salignatmoandal
force-pushed
the
fix/websocket-origin-checking
branch
from
90cfb6b to
cf89f62
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 12
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| origin := strings.TrimSpace(r.Header.Get("Origin")) | ||
| if origin == "" { | ||
| return false | ||
| } |
There was a problem hiding this comment.
Missing Origin header blocks non-browser WebSocket clients
Medium Severity
When allowedOrigins is configured (production), connections without an Origin header are rejected. The gorilla/websocket default behavior is to accept connections when the Origin header is absent, because non-browser clients (CLI tools, server-to-server) typically don't send it. The Origin header is a browser-only CSRF mechanism, so rejecting its absence blocks legitimate programmatic clients without any security benefit — non-browser clients can trivially forge the header anyway.
1 participant
What
In production, WebSocket connections are now restricted to allowed origins only. In development, all origins are still accepted (no change for local dev).
Why
Previously, the server accepted WebSocket connections from any origin. That could allow a third-party site to open a WebSocket to your SuperPlane instance using the user's cookies. Restricting origins in production reduces that risk and aligns with common security practice for WebSockets.
How
allowedWebSocketOrigins()builds the list of allowed origins:APP_ENV=development): returns no list → all origins accepted (unchanged behavior).WEBSOCKET_ALLOWED_ORIGINSif set (comma-separated), otherwise derives a single origin fromBASE_URL(scheme + host).CheckOrigincallback now allows a connection only when:Originheader is in the allowed list.Configuration
BASE_URL: In production, the origin derived from this URL is allowed (e.g.https://app.example.com→https://app.example.com).WEBSOCKET_ALLOWED_ORIGINS(optional): Comma-separated list of origins when you need multiple (e.g.https://app.example.com,https://dashboard.example.com).APP_ENV=development.