Enhance CORS Configuration for Production Security

📌 Removed the wildcard (*) origin and replaced it with trusted origins from .env.

📌 Introduced environment variable (CORS_ALLOWED_ORIGINS) for dynamic origin management.

📌 Improved security by blocking untrusted origins and methods.

📌 Enhanced performance with maxAge for caching preflight responses.

📌 No breaking changes, as the fallback origin is set to http://localhost:4000 for development, ensuring compatibility with local setups.

2 files changed, 19 insertions, 3 deletions

diff --git a/.env.example b/.env.example
index 6829a4e..5dfc8a5 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,6 @@
 DOMAIN = "aniwatchtv.to"
 PORT = 4000
+CORS_ALLOWED_ORIGINS = https://your-production-domain.com,https://another-trusted-domain.com
 
 # RATE LIMIT
 WINDOWMS = 1800000     # duration to track requests (in milliseconds) for rate limiting. here, 30*60*1000 = 1800000 = 30 minutes
diff --git a/src/config/cors.ts b/src/config/cors.ts
index b82f40a..9cbf836 100644
--- a/src/config/cors.ts
+++ b/src/config/cors.ts
@@ -1,10 +1,25 @@
-import cors from "cors";
+import cors from 'cors';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const allowedOrigins = process.env.CORS_ALLOWED_ORIGINS
+  ? process.env.CORS_ALLOWED_ORIGINS.split(",")
+  : ["http://localhost:4000"];
 
 const corsConfig = cors({
-  origin: "*",
-  methods: "GET",
+  origin: function (origin, callback) {
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
+  methods: ["GET"],
   credentials: true,
   optionsSuccessStatus: 200,
+  maxAge: 600,
 });
 
 export default corsConfig;
+