Skip to content

Comments

security: restrict CORS to explicit allowed origins#661

Open
mmcintosh wants to merge 2 commits intoSonicJs-Org:mainfrom
mmcintosh:hotfix/cors-configuration
Open

security: restrict CORS to explicit allowed origins#661
mmcintosh wants to merge 2 commits intoSonicJs-Org:mainfrom
mmcintosh:hotfix/cors-configuration

Conversation

@mmcintosh
Copy link
Contributor

@mmcintosh mmcintosh commented Feb 20, 2026

Security: Restrict CORS to Explicit Allowed Origins

Summary

Replaces the permissive Access-Control-Allow-Origin: * CORS policy with an explicit allowlist via the CORS_ORIGINS environment variable. Cross-origin requests from unlisted origins are now rejected.

Changes

1. Origin Allowlist

  • CORS origin callback parses CORS_ORIGINS env var (comma-separated)
  • Only echoes back origins present in the list
  • Secure default: If CORS_ORIGINS is not set, all cross-origin requests are rejected

2. Additional Allowed Header

  • Added X-API-Key to allowHeaders so API key authentication works cross-origin

3. Default Configuration

  • my-sonicjs-app/wrangler.toml sets CORS_ORIGINS = "http://localhost:8787" for local dev
  • Starter template (packages/create-app/templates/starter/wrangler.toml) includes the same default

4. E2E Tests Updated

  • CORS tests now send Origin: http://localhost:8787 (the configured origin)
  • Assertions changed from * to the echoed origin value
  • Updated in 07-api.spec.ts, 08-collections-api.spec.ts, and smoke.spec.ts

Technical Details

Core Changes:

  • packages/core/src/routes/api.ts -- CORS origin callback with allowlist parsing
  • packages/core/src/app.ts -- Added CORS_ORIGINS?: string to Bindings interface

Configuration:

  • my-sonicjs-app/wrangler.toml -- Added CORS_ORIGINS = "http://localhost:8787"
  • packages/create-app/templates/starter/wrangler.toml -- Same default for new projects

Updated Tests:

  • tests/e2e/07-api.spec.ts -- CORS test uses configured origin
  • tests/e2e/08-collections-api.spec.ts -- Updated assertion from * to echoed origin
  • tests/e2e/smoke.spec.ts -- Updated CORS smoke test

Testing

  • Unit Tests: PASSED
  • E2E Tests: PASSED (3/3 shards green, 3 test files updated)

Performance Impact

No measurable impact -- origin check is a simple string split + includes.

Breaking Changes

  • API consumers from other origins will be blocked unless their origin is added to CORS_ORIGINS. This is intentional -- the previous * policy was a security risk.

Migration Notes

  • Production: Set CORS_ORIGINS to your frontend domain(s), e.g., CORS_ORIGINS = "https://mysite.com,https://admin.mysite.com"
  • Multiple origins: Comma-separated (trimmed automatically)
  • Local dev: Pre-configured to http://localhost:8787

Known Issues

None.

Demo / Screenshots

N/A -- no UI changes.

Related Issues

(Security hardening -- no linked issue)

Checklist

  • Code follows project coding standards
  • Tests added/updated and passing
  • Documentation updated
  • No breaking changes
  • Backward compatible

@mmcintosh mmcintosh force-pushed the hotfix/cors-configuration branch from 661a4d3 to 5e92ace Compare February 20, 2026 18:27
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2026
View reviewed changes
packages/core/src/__tests__/middleware/api-key.test.ts Outdated
}

it('valid key with matching scope — calls next()', async () => {
const hash = await hashApiKey(TOKEN)

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable hash.
packages/core/src/__tests__/middleware/api-key.test.ts Outdated
})

const mw = requireApiKey('search:read')
const result = await mw(ctx, mockNext)

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable result.
@mmcintosh
security: restrict CORS to explicit allowed origins
3ae1163 
- Replace wildcard origin:'*' with dynamic CORS_ORIGINS check
- No CORS_ORIGINS env var = reject all cross-origin requests (secure default)
- Add CORS_ORIGINS to Bindings interface
- Add X-API-Key to allowed headers
- Add CORS_ORIGINS=http://localhost:8787 to dev wrangler.toml configs
- Same-origin requests (admin UI) are unaffected

Breaking: cross-origin API consumers must be listed in CORS_ORIGINS

Fixes VULN-003
@mmcintosh
fix: update CORS E2E tests to use configured origin
cd6828d 
Tests were sending Origin headers (localhost:3000, example.com) that
don't match the CORS_ORIGINS allowlist. Updated to use http://localhost:8787
and assert the echoed origin instead of wildcard '*'.
@mmcintosh mmcintosh force-pushed the hotfix/cors-configuration branch from 5e92ace to cd6828d Compare February 20, 2026 18:45
@mmcintosh mmcintosh changed the title Hotfix/cors configuration security: restrict CORS to explicit allowed origins Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mmcintosh