corsu siktim

backend/src/app.js

@@ -12,43 +12,31 @@ const { apiLimiter } = require('./middlewares/rateLimiter');
 const app = express();
 const PORT = process.env.PORT || 3000;
 
-// Security middleware
+// Security middleware - CSP ayarlarını gevşet (inline script'ler için)
-app.use(helmet());
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "http://*", "https://*"],
+      styleSrc: ["'self'", "'unsafe-inline'", "http://*", "https://*"],
+      imgSrc: ["'self'", "data:", "http://*", "https://*"],
+      connectSrc: ["'self'", "http://*", "https://*"],
+      fontSrc: ["'self'", "data:", "http://*", "https://*"],
+      objectSrc: ["'none'"],
+      mediaSrc: ["'self'"],
+      frameSrc: ["'none'"],
+    },
+  },
+  crossOriginEmbedderPolicy: false,
+}));
 
-// Dynamic CORS configuration (will be updated from settings)
+// CORS - Her yerden erişime izin ver
-let corsOptions = {
+app.use(cors({
-  origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+  origin: true, // Tüm origin'lere izin ver
   credentials: true,
-};
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
-
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
-app.use((req, res, next) => {
+}));
-  cors(corsOptions)(req, res, next);
-});
-
-// Function to update CORS from database
-const updateCorsFromSettings = async () => {
-  try {
-    const { Settings } = require('./models');
-    const corsEnabledSetting = await Settings.findOne({ where: { key: 'cors_enabled' } });
-    const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
-    
-    if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
-      corsOptions.origin = frontendUrlSetting.value;
-      logger.info(`CORS enabled for: ${frontendUrlSetting.value}`);
-    } else {
-      // Default: allow both frontend and backend on same origin
-      corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173';
-    }
-  } catch (error) {
-    logger.warn('Could not load CORS settings from database, using defaults');
-  }
-};
-
-// Update CORS on startup (with delay to ensure DB is ready)
-setTimeout(updateCorsFromSettings, 2000);
-
-// Export for use in settings controller
-app.updateCorsSettings = updateCorsFromSettings;
 
 // Body parsing middleware
 app.use(express.json());
@@ -56,7 +44,14 @@ app.use(express.urlencoded({ extended: true }));
 
 // Serve static files (landing page and frontend build)
 const path = require('path');
-app.use(express.static(path.join(__dirname, 'public')));
+app.use(express.static(path.join(__dirname, 'public'), {
+  setHeaders: (res, path) => {
+    // CORS headers for static files
+    res.set('Access-Control-Allow-Origin', '*');
+    res.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    res.set('Access-Control-Allow-Headers', 'Content-Type');
+  }
+}));
 
 // Serve landing page at /landing route
 app.get('/landing', (req, res) => {

backend/src/controllers/settings.controller.js

@@ -166,14 +166,9 @@ exports.updateSystemSettings = async (req, res, next) => {
       });
     }
 
-    // Update CORS configuration if available
-    if (req.app && req.app.updateCorsSettings) {
-      await req.app.updateCorsSettings();
-    }
-
     res.json({
       success: true,
-      message: 'Sistem ayarları güncellendi. CORS ayarları uygulandı.',
+      message: 'Sistem ayarları güncellendi.',
     });
   } catch (error) {
     next(error);