Closed AkiraBrown closed 6 days ago
On line 9, there are no CORS configurations passed to the CORS function which means the API could receive request from anywhere. This establishes a problem since an attacker can send whatever request they want to our API.
app.use(cors());
const targetUrl = process.env.NODE_ENV === "production" ? "<INSERT DEPLOYED FRONTEND LINK>" : "http://localhost:3000"; const corsOptions = { origin: (origin, callback) => { if (origin === targetUrl) { callback(null, true); } else { callback(new Error("Not allowed by CORS").message, false); } }, methods: ["GET"], maxAge: 3600, credentials: true, }; app.use(cors(corsOptions));
CORS Configuration
Fix
Locked API requests to be allowed from one link.
On line 9, there are no CORS configurations passed to the CORS function which means the API could receive request from anywhere. This establishes a problem since an attacker can send whatever request they want to our API.
CORS Configuration