Skip to content

Restrict CORS to allowed origins #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
overcut-ai wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Restrict CORS to allowed origins #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Example environment variables for the Awesome Overcut monorepo
# -------------------------------------------------------------
# Copy this file to `.env` (or another env file) and adjust values as needed.

# Comma-separated list of allowed origins for CORS
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:4200
Copy link
Author

@overcut-ai overcut-ai bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Including active localhost origins in the example file may lead teams to copy the value unmodified into production, unintentionally exposing the API. Consider commenting this line out and providing it as guidance instead, e.g. # CORS_ALLOWED_ORIGINS=http://example.com, so production environments start locked-down by default.

13 changes: 13 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,3 +227,16 @@ This project is licensed under the **Apache License 2.0** – see the [LICENSE](
* Generated with [Amplication](https://amplication.com) – an open-source platform for building Node.js applications.
* Built with amazing open-source software:
* [NestJS](https://nestjs.com) • [Prisma](https://www.prisma.io) • [React](https://react.dev) • [React-Admin](https://marmelab.com/react-admin/) • and many more.

---

## Configuration

### Environment Variables

The server’s CORS policy can be restricted via the `CORS_ALLOWED_ORIGINS` variable (comma-separated list). If omitted, it defaults to the local dev origins `http://localhost:3000` and `http://localhost:4200`.

```
# See .env.example for the complete template
CORS_ALLOWED_ORIGINS=http://admin.example.com,https://app.example.com
```
13 changes: 12 additions & 1 deletion apps/hotel-management-service-server/src/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,18 @@ import {
const { PORT = 3000 } = process.env;

async function main() {
const app = await NestFactory.create(AppModule, { cors: true });
const app = await NestFactory.create(AppModule);

const allowedOrigins =
process.env.CORS_ALLOWED_ORIGINS?.split(',').map(o => o.trim()) ?? [
Copy link
Author

@overcut-ai overcut-ai bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If CORS_ALLOWED_ORIGINS is defined but empty (e.g. CORS_ALLOWED_ORIGINS=""), .split(',') returns ["" ], so the fallback list is skipped and Nest will reply with Access-Control-Allow-Origin: null, effectively blocking all browsers. Please trim & filter falsy entries and fall back to the defaults when the resulting list is empty.

'http://localhost:3000',
'http://localhost:4200',
];

app.enableCors({
Copy link
Author

@overcut-ai overcut-ai bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security-critical behaviour changed, but no automated test verifies that disallowed origins are rejected or that wildcards are never re-enabled. Please add an integration test that spins up the app with/without CORS_ALLOWED_ORIGINS and asserts the Access-Control-Allow-Origin header for allowed vs disallowed origins.

origin: allowedOrigins,
credentials: true,
});

app.setGlobalPrefix("api");
app.useGlobalPipes(
Expand Down
7 changes: 7 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"name": "awesome-overcut-root",
"private": true,
"scripts": {
"lint:cors": "! grep -R --line-number -- '{ cors: true }' apps/*/src/main.ts || (echo 'Error: Disallowed permissive CORS usage found.' && exit 1)"
Copy link
Author

@overcut-ai overcut-ai bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The grep guard is fragile: it matches only the exact substring with spaces/braces, so variants like {cors: true}, double quotes, or usages in other files could bypass CI. Use a more flexible regex such as grep -R --line-number -E '\{\s*cors\s*:\s*true' apps/**/*.ts to prevent false negatives.

}
}