aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRitesh Ghosh <[email protected]>2024-10-04 12:17:57 +0530
committerGitHub <[email protected]>2024-10-04 12:17:57 +0530
commit3813902aaa4452612ef0b4a792a294a97581c87c (patch)
tree474d38eac226e53e41375ae25582b0cc94e1d3d5
parentdbbd46a99d8690307837e831a8130704e0d63feb (diff)
parent91fd0918c319519bf20f3bdcb2287a5c85ffa7d1 (diff)
downloadaniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.tar.xz
aniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.zip
Merge pull request #64 from divyansh355/main
Enhance CORS Configuration for Production Security
-rw-r--r--.env.example1
-rw-r--r--src/config/cors.ts21
2 files changed, 19 insertions, 3 deletions
diff --git a/.env.example b/.env.example
index 6829a4e..5dfc8a5 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,6 @@
DOMAIN = "aniwatchtv.to"
PORT = 4000
+CORS_ALLOWED_ORIGINS = https://your-production-domain.com,https://another-trusted-domain.com
# RATE LIMIT
WINDOWMS = 1800000 # duration to track requests (in milliseconds) for rate limiting. here, 30*60*1000 = 1800000 = 30 minutes
diff --git a/src/config/cors.ts b/src/config/cors.ts
index b82f40a..9cbf836 100644
--- a/src/config/cors.ts
+++ b/src/config/cors.ts
@@ -1,10 +1,25 @@
-import cors from "cors";
+import cors from 'cors';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const allowedOrigins = process.env.CORS_ALLOWED_ORIGINS
+ ? process.env.CORS_ALLOWED_ORIGINS.split(",")
+ : ["http://localhost:4000"];
const corsConfig = cors({
- origin: "*",
- methods: "GET",
+ origin: function (origin, callback) {
+ if (!origin || allowedOrigins.includes(origin)) {
+ callback(null, true);
+ } else {
+ callback(new Error("Not allowed by CORS"));
+ }
+ },
+ methods: ["GET"],
credentials: true,
optionsSuccessStatus: 200,
+ maxAge: 600,
});
export default corsConfig;
+