Merge pull request #64 from divyansh355/main

Enhance CORS Configuration for Production Security
author: Ritesh Ghosh <[email protected]> 2024-10-04 12:17:57 +0530
committer: GitHub <[email protected]> 2024-10-04 12:17:57 +0530
commit: 3813902aaa4452612ef0b4a792a294a97581c87c (patch)
tree: 474d38eac226e53e41375ae25582b0cc94e1d3d5 /src
parent: dbbd46a99d8690307837e831a8130704e0d63feb (diff)
parent: 91fd0918c319519bf20f3bdcb2287a5c85ffa7d1 (diff)
download: aniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.tar.xz
aniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.zip
1 files changed, 18 insertions, 3 deletions
diff --git a/src/config/cors.ts b/src/config/cors.ts
index b82f40a..9cbf836 100644
--- a/src/config/cors.ts
+++ b/src/config/cors.ts
@@ -1,10 +1,25 @@
-import cors from "cors";
+import cors from 'cors';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+const allowedOrigins = process.env.CORS_ALLOWED_ORIGINS
+  ? process.env.CORS_ALLOWED_ORIGINS.split(",")
+  : ["http://localhost:4000"];
 
 const corsConfig = cors({
-  origin: "*",
-  methods: "GET",
+  origin: function (origin, callback) {
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
+  methods: ["GET"],
   credentials: true,
   optionsSuccessStatus: 200,
+  maxAge: 600,
 });
 
 export default corsConfig;
+
author	Ritesh Ghosh <[email protected]>	2024-10-04 12:17:57 +0530
committer	GitHub <[email protected]>	2024-10-04 12:17:57 +0530
commit	3813902aaa4452612ef0b4a792a294a97581c87c (patch)
tree	474d38eac226e53e41375ae25582b0cc94e1d3d5 /src
parent	dbbd46a99d8690307837e831a8130704e0d63feb (diff)
parent	91fd0918c319519bf20f3bdcb2287a5c85ffa7d1 (diff)
download	aniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.tar.xz aniwatch-api-3813902aaa4452612ef0b4a792a294a97581c87c.zip