Security: CORS defaults to allow all origins in development #124
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#124
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
server/index.js line 100:
const corsOrigin = process.env.CORS_ORIGIN || '*'When CORS_ORIGIN is not set, the API accepts requests from ANY origin. While docker-compose.yml sets it to
https://queuenorth.com, the default fallback is permissive.Additionally, CORS_ORIGIN is not documented in .env.example, so developers running locally get wide-open CORS without knowing it.
Fix
http://localhost:5173(Vite dev server) instead of**Files
Severity
Low-Medium — docker-compose.yml already sets the correct origin, but dev environments are wide open