Security: CORS defaults to allow all origins in development #124

Closed
opened 2026-05-17 21:27:25 -05:00 by null · 0 comments
Owner

Problem

server/index.js line 100: const corsOrigin = process.env.CORS_ORIGIN || '*'

When CORS_ORIGIN is not set, the API accepts requests from ANY origin. While docker-compose.yml sets it to https://queuenorth.com, the default fallback is permissive.

Additionally, CORS_ORIGIN is not documented in .env.example, so developers running locally get wide-open CORS without knowing it.

Fix

  1. Add CORS_ORIGIN to .env.example with a comment explaining it
  2. Change the default to something safer: http://localhost:5173 (Vite dev server) instead of *
  3. Log a warning when CORS is set to *

Files

  • server/index.js — CORS default
  • .env.example — add CORS_ORIGIN entry

Severity

Low-Medium — docker-compose.yml already sets the correct origin, but dev environments are wide open

## Problem server/index.js line 100: `const corsOrigin = process.env.CORS_ORIGIN || '*'` When CORS_ORIGIN is not set, the API accepts requests from ANY origin. While docker-compose.yml sets it to `https://queuenorth.com`, the default fallback is permissive. Additionally, CORS_ORIGIN is not documented in .env.example, so developers running locally get wide-open CORS without knowing it. ## Fix 1. Add CORS_ORIGIN to .env.example with a comment explaining it 2. Change the default to something safer: `http://localhost:5173` (Vite dev server) instead of `*` 3. Log a warning when CORS is set to `*` ## Files - server/index.js — CORS default - .env.example — add CORS_ORIGIN entry ## Severity Low-Medium — docker-compose.yml already sets the correct origin, but dev environments are wide open
null closed this issue 2026-05-17 21:53:58 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#124
No description provided.