Enhance CORS Configuration for Production Security

📌 Removed the wildcard (*) origin and replaced it with trusted origins from .env.

📌 Introduced environment variable (CORS_ALLOWED_ORIGINS) for dynamic origin management.

📌 Improved security by blocking untrusted origins and methods.

📌 Enhanced performance with maxAge for caching preflight responses.

📌 No breaking changes, as the fallback origin is set to http://localhost:4000 for development, ensuring compatibility with local setups.

1 files changed, 18 insertions, 3 deletions

diff --git a/src/config/cors.ts b/src/config/cors.ts
index b82f40a..9cbf836 100644
--- a/src/config/cors.ts
+++ b/src/config/cors.ts
@@ -1,10 +1,25 @@
-import cors from "cors";
+import cors from 'cors';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const allowedOrigins = process.env.CORS_ALLOWED_ORIGINS
+  ? process.env.CORS_ALLOWED_ORIGINS.split(",")
+  : ["http://localhost:4000"];
 
 const corsConfig = cors({
-  origin: "*",
-  methods: "GET",
+  origin: function (origin, callback) {
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
+  methods: ["GET"],
   credentials: true,
   optionsSuccessStatus: 200,
+  maxAge: 600,
 });
 
 export default corsConfig;
+