Open WojtekTheWebDev opened 2 years ago
@WojtekTheWebDev I think changing the defaults on the HELMET module can add this security layer. https://docs.vuestorefront.io/v2/security/headers-security.html
@WojtekTheWebDev is this closed? If yes, plese close the issue
Describe the Bug
It is observed that the application fails to properly validate the Origin headers. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.
Current behavior
VSF middleware enables All CORS requests: https://github.com/vuestorefront/vue-storefront/blob/main/packages/core/middleware/src/createServer.ts#L12
Expected behavior
There should be an option to configure the CORS by params like:
Steps to reproduce
What version of Vue Storefront are you using?
2.5.6
What version of Node.js are you using?
16.14
What browser (and version) are you using?
Chrome
What operating system (and version) are you using?
macOS
Relevant log output
No response
Able to fix / change the documentation?
Code of Conduct