From c898ca4a65e8c88d847eabaaef750600535e1bd8 Mon Sep 17 00:00:00 2001 From: salvacybersec Date: Tue, 11 Nov 2025 07:40:02 +0300 Subject: [PATCH] corsu siktim --- backend/src/app.js | 67 +++++++++---------- .../src/controllers/settings.controller.js | 7 +- 2 files changed, 32 insertions(+), 42 deletions(-) diff --git a/backend/src/app.js b/backend/src/app.js index e9f13e8..71a3401 100644 --- a/backend/src/app.js +++ b/backend/src/app.js @@ -12,43 +12,31 @@ const { apiLimiter } = require('./middlewares/rateLimiter'); const app = express(); const PORT = process.env.PORT || 3000; -// Security middleware -app.use(helmet()); +// Security middleware - CSP ayarlarını gevşet (inline script'ler için) +app.use(helmet({ + contentSecurityPolicy: { + directives: { + defaultSrc: ["'self'"], + scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "http://*", "https://*"], + styleSrc: ["'self'", "'unsafe-inline'", "http://*", "https://*"], + imgSrc: ["'self'", "data:", "http://*", "https://*"], + connectSrc: ["'self'", "http://*", "https://*"], + fontSrc: ["'self'", "data:", "http://*", "https://*"], + objectSrc: ["'none'"], + mediaSrc: ["'self'"], + frameSrc: ["'none'"], + }, + }, + crossOriginEmbedderPolicy: false, +})); -// Dynamic CORS configuration (will be updated from settings) -let corsOptions = { - origin: process.env.FRONTEND_URL || 'http://localhost:5173', +// CORS - Her yerden erişime izin ver +app.use(cors({ + origin: true, // Tüm origin'lere izin ver credentials: true, -}; - -app.use((req, res, next) => { - cors(corsOptions)(req, res, next); -}); - -// Function to update CORS from database -const updateCorsFromSettings = async () => { - try { - const { Settings } = require('./models'); - const corsEnabledSetting = await Settings.findOne({ where: { key: 'cors_enabled' } }); - const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } }); - - if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) { - corsOptions.origin = frontendUrlSetting.value; - logger.info(`CORS enabled for: ${frontendUrlSetting.value}`); - } else { - // Default: allow both frontend and backend on same origin - corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173'; - } - } catch (error) { - logger.warn('Could not load CORS settings from database, using defaults'); - } -}; - -// Update CORS on startup (with delay to ensure DB is ready) -setTimeout(updateCorsFromSettings, 2000); - -// Export for use in settings controller -app.updateCorsSettings = updateCorsFromSettings; + methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'], + allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'], +})); // Body parsing middleware app.use(express.json()); @@ -56,7 +44,14 @@ app.use(express.urlencoded({ extended: true })); // Serve static files (landing page and frontend build) const path = require('path'); -app.use(express.static(path.join(__dirname, 'public'))); +app.use(express.static(path.join(__dirname, 'public'), { + setHeaders: (res, path) => { + // CORS headers for static files + res.set('Access-Control-Allow-Origin', '*'); + res.set('Access-Control-Allow-Methods', 'GET, OPTIONS'); + res.set('Access-Control-Allow-Headers', 'Content-Type'); + } +})); // Serve landing page at /landing route app.get('/landing', (req, res) => { diff --git a/backend/src/controllers/settings.controller.js b/backend/src/controllers/settings.controller.js index f3d7ebb..961cb4f 100644 --- a/backend/src/controllers/settings.controller.js +++ b/backend/src/controllers/settings.controller.js @@ -166,14 +166,9 @@ exports.updateSystemSettings = async (req, res, next) => { }); } - // Update CORS configuration if available - if (req.app && req.app.updateCorsSettings) { - await req.app.updateCorsSettings(); - } - res.json({ success: true, - message: 'Sistem ayarları güncellendi. CORS ayarları uygulandı.', + message: 'Sistem ayarları güncellendi.', }); } catch (error) { next(error);