Add strict CORS allowlist with fail-closed default #105

Merged

pook merged 1 commit from feature/cors-allowlist into main 2026-04-09 06:14:09 -04:00

Conversation 0 Commits 1 Files changed 3 +150 -2

pook commented 2026-04-08 18:58:32 -04:00

Owner

Copy link

Summary

• Configure CORS middleware to only allow origins from ALLOWED_ORIGINS env var (comma-separated)
• Default to no origins allowed (fail-closed) when env var is missing
• Restrict allowed methods to GET, POST, OPTIONS only
• Add preflight caching with Access-Control-Max-Age: 86400 (24 hours)
• Add ALLOWED_ORIGINS to .env.sample for documentation

Test plan

• Unit tests cover allowed origin receiving CORS headers
• Unit tests cover disallowed origin NOT receiving CORS headers
• Unit tests cover empty allowlist blocking all origins
• Unit tests cover preflight returning correct methods and max-age
• All 8 tests pass (bun test packages/api/tests/unit/cors.test.ts)

🤖 Generated with Claude Code

## Summary - Configure CORS middleware to only allow origins from `ALLOWED_ORIGINS` env var (comma-separated) - Default to **no origins allowed** (fail-closed) when env var is missing - Restrict allowed methods to `GET`, `POST`, `OPTIONS` only - Add preflight caching with `Access-Control-Max-Age: 86400` (24 hours) - Add `ALLOWED_ORIGINS` to `.env.sample` for documentation ## Test plan - [x] Unit tests cover allowed origin receiving CORS headers - [x] Unit tests cover disallowed origin NOT receiving CORS headers - [x] Unit tests cover empty allowlist blocking all origins - [x] Unit tests cover preflight returning correct methods and max-age - [x] All 8 tests pass (`bun test packages/api/tests/unit/cors.test.ts`) 🤖 Generated with [Claude Code](https://claude.com/claude-code)

pook added 1 commit 2026-04-08 18:58:32 -04:00

Add strict CORS allowlist with fail-closed default ... 3243f3fb04

Configure CORS middleware to only allow origins specified in ALLOWED_ORIGINS
env var (comma-separated). When the env var is missing, no origins are
allowed (fail-closed). Restrict methods to GET/POST/OPTIONS, enable
preflight caching (max-age 86400), and add unit tests covering allow/deny.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pook referenced this pull request 2026-04-08 21:51:49 -04:00

Close stale issues superseded by newer scoped issues — #37, #38, #39, #42, #53 #145

pook referenced this pull request 2026-04-08 21:53:04 -04:00

Add CORS configuration and security headers middleware #39

pook referenced this pull request 2026-04-08 21:53:15 -04:00

[Agent] Issue #145: multiple stale issues 11h are duplicates #146

pook merged commit 778bb1cafb into main 2026-04-09 06:14:08 -04:00

pook referenced this pull request from a commit 2026-04-09 06:14:09 -04:00

Merge pull request 'Add strict CORS allowlist with fail-closed default' (#105) from feature/cors-allowlist into main

pook referenced this pull request 2026-04-09 06:15:40 -04:00

PR pipeline unblocked: 18 PRs merged, 48 remaining need rebase #254

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!105

No description provided.