Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CORS origin validation in production (FRE-4749)

Browse Source 
- Add ALLOWED_ORIGINS env var with comma-separated origin list
- Validate origins at startup in production: reject wildcards, empty values,
  and malformed URLs (non-http/https protocol)
- Update both server entry points (server.ts, index.ts) to use getCorsOrigins()
- Development mode retains existing localhost fallback behavior

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Senior Engineer
2026-05-09 11:46:39 -04:00
committed by Michael Freno
parent 8506fd17ef
commit a10ef7eb70
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/api/src/server.ts
View File

@@ -7,6 +7,11 @@ import { authMiddleware } from "./middleware/auth.middleware";
import { darkwatchRoutes } from "./routes/darkwatch.routes";
import { voiceprintRoutes } from "./routes/voiceprint.routes";
import { correlationRoutes } from "./routes/correlation.routes";
import { initDatadog, initSentry, captureSentryError } from "@shieldai/monitoring";
import { getCorsOrigins } from "./config/api.config";
initDatadog();
initSentry();
const app = Fastify({
logger: {
@@ -15,7 +20,8 @@ const app = Fastify({
});
async function bootstrap() {
await app.register(cors, { origin: process.env.CORS_ORIGIN || "http://localhost:5173" });
const corsOrigins = getCorsOrigins();
await app.register(cors, { origin: corsOrigins });
await app.register(helmet);
await app.register(sensible);
@@ -42,6 +48,7 @@ async function bootstrap() {
app.log.info(`Server listening on port ${process.env.PORT || 3000}`);
} catch (err) {
app.log.error(err);
captureSentryError(err as Error, { context: "server_startup" });
process.exit(1);
}
}