airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: restrict CORS to localhost origins only

Browse Source 
Prevents cross-origin attacks from malicious websites by restricting
CORS to only allow:
- Requests without Origin header (hooks, curl, CLI tools)
- Requests from localhost / 127.0.0.1 origins

Previously, CORS was completely open (cors() without configuration),
allowing any website to access the local API and read session data.
This commit is contained in:
OpenCode User
2026-02-04 11:51:16 +01:00
committed by Alex Newman
parent 2aab998b62
commit 86b1d7fad9
2 changed files with 77 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/services/worker/http/middleware.ts
+15 -2
View File
@@ -24,8 +24,21 @@ export function createMiddleware(
// JSON parsing with 50mb limit
middlewares.push(express.json({ limit: '50mb' }));
// CORS
middlewares.push(cors());
// CORS - restrict to localhost origins only
middlewares.push(cors({
origin: (origin, callback) => {
// Allow: requests without Origin header (hooks, curl, CLI tools)
// Allow: localhost and 127.0.0.1 origins
if (!origin ||
origin.startsWith('http://localhost:') ||
origin.startsWith('http://127.0.0.1:')) {
callback(null, true);
} else {
callback(new Error('CORS not allowed'));
}
},
credentials: false
}));
// HTTP request/response logging
middlewares.push((req: Request, res: Response, next: NextFunction) => {