salvacybersec/balikci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CORS development mode - allow all origins in dev

Browse Source
This commit is contained in:
salvacybersec
2025-11-11 05:08:03 +03:00
parent b2cb3cb1bb
commit 16f5b39fc6
1 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
backend/src/app.js
View File

@@ -15,8 +15,11 @@ const PORT = process.env.PORT || 3000;
// Security middleware
app.use(helmet());
// Dynamic CORS configuration (will be updated from settings)
// Allow multiple origins for development and production
// Dynamic CORS configuration
// Development: Allow ALL origins (no restrictions)
// Production: Whitelist specific domains
const isDevelopment = process.env.NODE_ENV !== 'production';
const getAllowedOrigins = () => {
const origins = [
process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
@@ -37,13 +40,21 @@ const getAllowedOrigins = () => {
let corsOptions = {
origin: (origin, callback) => {
// Development mode: Allow ALL origins
if (isDevelopment) {
callback(null, true);
return;
}
// Production mode: Check whitelist
const allowedOrigins = getAllowedOrigins();
// Allow requests with no origin (like mobile apps or curl requests)
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
logger.warn(`CORS blocked origin: ${origin}`);
callback(null, true); // Allow anyway in production (more permissive)
logger.warn(`CORS blocked origin: ${origin} (not in whitelist)`);
// For now, allow anyway (you can change to callback(new Error('Not allowed by CORS')) for strict mode)
callback(null, true);
}
},
credentials: true,
@@ -66,7 +77,11 @@ const updateCorsFromSettings = async () => {
logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
}
logger.info(`CORS allowed origins: ${getAllowedOrigins().join(', ')}`);
if (isDevelopment) {
logger.info('🔓 CORS: Development mode - ALL origins allowed');
} else {
logger.info(`🔒 CORS: Production mode - Whitelist: ${getAllowedOrigins().join(', ')}`);
}
} catch (error) {
logger.warn('Could not load CORS settings from database, using defaults');
}