Harden CORS with an environment-driven origin allowlist
Description
src/index.ts mounts app.use(cors()) with no options, which reflects any Origin and effectively allows all cross-origin callers. For a payments-adjacent gateway that exposes admin and key-management routes, a wildcard CORS policy is too permissive. This issue replaces it with an allowlist driven by CORS_ALLOWED_ORIGINS.
Requirements and context
- Repository scope:
StableRoute-Org/Stableroute-backend only.
- Parse
process.env.CORS_ALLOWED_ORIGINS (comma-separated) into a set; configure the cors middleware with an origin callback that allows only listed origins.
- When the env var is unset, default to a safe localhost-only list for development.
- Ensure preflight (
OPTIONS) still succeeds for allowed origins and is rejected for others.
- Keep credentials handling explicit (
credentials: false unless an origin is allowlisted).
Suggested execution
- Fork the repo and create a branch
git checkout -b security/cors-06-origin-allowlist
- Implement changes
- Write code in:
src/index.ts — replace the bare cors() call with a configured instance.
- Write comprehensive tests in:
src/__tests__/index.test.ts — assert Access-Control-Allow-Origin for an allowed origin and its absence for a disallowed one.
- Add documentation: document
CORS_ALLOWED_ORIGINS in README.md.
- Add TSDoc on the origin resolver.
- Validate security: never echo an arbitrary origin back.
- Test and commit
Test and commit
- Run
npm run build, npm run lint, and npm test.
- Cover edge cases: allowed origin, disallowed origin, no Origin header, preflight.
- Paste full
npm test output in the PR.
Example commit message
feat(security): restrict CORS to a configurable origin allowlist
Guidelines
- Minimum 95 percent test coverage for impacted code.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden CORS with an environment-driven origin allowlist
Description
src/index.tsmountsapp.use(cors())with no options, which reflects anyOriginand effectively allows all cross-origin callers. For a payments-adjacent gateway that exposes admin and key-management routes, a wildcard CORS policy is too permissive. This issue replaces it with an allowlist driven byCORS_ALLOWED_ORIGINS.Requirements and context
StableRoute-Org/Stableroute-backendonly.process.env.CORS_ALLOWED_ORIGINS(comma-separated) into a set; configure thecorsmiddleware with anorigincallback that allows only listed origins.OPTIONS) still succeeds for allowed origins and is rejected for others.credentials: falseunless an origin is allowlisted).Suggested execution
git checkout -b security/cors-06-origin-allowlistsrc/index.ts— replace the barecors()call with a configured instance.src/__tests__/index.test.ts— assertAccess-Control-Allow-Originfor an allowed origin and its absence for a disallowed one.CORS_ALLOWED_ORIGINSinREADME.md.Test and commit
npm run build,npm run lint, andnpm test.npm testoutput in the PR.Example commit message
feat(security): restrict CORS to a configurable origin allowlistGuidelines
Community & contribution rewards