Skip to content

Restrict CORS to a configurable allowlist instead of wildcard #6

Description

@mikewheeleer

Harden CORS with an environment-driven origin allowlist

Description

src/index.ts mounts app.use(cors()) with no options, which reflects any Origin and effectively allows all cross-origin callers. For a payments-adjacent gateway that exposes admin and key-management routes, a wildcard CORS policy is too permissive. This issue replaces it with an allowlist driven by CORS_ALLOWED_ORIGINS.

Requirements and context

  • Repository scope: StableRoute-Org/Stableroute-backend only.
  • Parse process.env.CORS_ALLOWED_ORIGINS (comma-separated) into a set; configure the cors middleware with an origin callback that allows only listed origins.
  • When the env var is unset, default to a safe localhost-only list for development.
  • Ensure preflight (OPTIONS) still succeeds for allowed origins and is rejected for others.
  • Keep credentials handling explicit (credentials: false unless an origin is allowlisted).

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/cors-06-origin-allowlist
  • Implement changes
    • Write code in: src/index.ts — replace the bare cors() call with a configured instance.
    • Write comprehensive tests in: src/__tests__/index.test.ts — assert Access-Control-Allow-Origin for an allowed origin and its absence for a disallowed one.
    • Add documentation: document CORS_ALLOWED_ORIGINS in README.md.
    • Add TSDoc on the origin resolver.
    • Validate security: never echo an arbitrary origin back.
  • Test and commit

Test and commit

  • Run npm run build, npm run lint, and npm test.
  • Cover edge cases: allowed origin, disallowed origin, no Origin header, preflight.
  • Paste full npm test output in the PR.

Example commit message

feat(security): restrict CORS to a configurable origin allowlist

Guidelines

  • Minimum 95 percent test coverage for impacted code.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions