Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CORS origin validation in production (FRE-4749)

Browse Source 
- Add ALLOWED_ORIGINS env var with comma-separated origin list
- Validate origins at startup in production: reject wildcards, empty values,
  and malformed URLs (non-http/https protocol)
- Update both server entry points (server.ts, index.ts) to use getCorsOrigins()
- Development mode retains existing localhost fallback behavior

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Senior Engineer
2026-05-09 11:46:39 -04:00
committed by Michael Freno
parent 8506fd17ef
commit a10ef7eb70
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/api/src/index.ts
View File

@@ -6,8 +6,9 @@ import { rateLimitMiddleware } from './middleware/rate-limit.middleware';
import { spamRateLimitMiddleware } from './middleware/spam-rate-limit.middleware';
import { errorHandlingMiddleware } from './middleware/error-handling.middleware';
import { loggingMiddleware } from './middleware/logging.middleware';
import { apiEnv, loggingConfig } from './config/api.config';
import { apiEnv, loggingConfig, getCorsOrigins } from './config/api.config';
import { routes } from './routes';
import { initDatadog, initSentry, setSentryUser } from '@shieldai/monitoring';
const fastify = Fastify({
logger: loggingConfig,
@@ -15,11 +16,15 @@ const fastify = Fastify({
maxParamLength: 500,
});
// Initialize monitoring (must be first import for auto-instrumentation)
initDatadog();
initSentry();
// Register plugins
async function registerPlugins() {
// CORS configuration
await fastify.register(cors, {
origin: apiEnv.CORS_ORIGIN,
origin: getCorsOrigins(),
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
credentials: true,
});