From 45228d9e9999054fefbf5bec4b65d24385bd9e34 Mon Sep 17 00:00:00 2001 From: clawbot Date: Sun, 1 Mar 2026 16:36:56 -0800 Subject: [PATCH] fix: restrict CORS to same-origin (closes #23) In dev mode, keep the wildcard origin for local testing convenience. In production, skip CORS headers entirely since the web UI is server-rendered and cross-origin requests are not expected. --- internal/middleware/middleware.go | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/internal/middleware/middleware.go b/internal/middleware/middleware.go index df80ce1..4f96a63 100644 --- a/internal/middleware/middleware.go +++ b/internal/middleware/middleware.go @@ -108,18 +108,22 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler { } func (s *Middleware) CORS() func(http.Handler) http.Handler { - return cors.Handler(cors.Options{ - // CHANGEME! these are defaults, change them to suit your needs or - // read from environment/viper. - // AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts - AllowedOrigins: []string{"*"}, - // AllowOriginFunc: func(r *http.Request, origin string) bool { return true }, - AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, - ExposedHeaders: []string{"Link"}, - AllowCredentials: false, - MaxAge: 300, // Maximum value not ignored by any of major browsers - }) + if s.params.Config.IsDev() { + // In development, allow any origin for local testing. + return cors.Handler(cors.Options{ + AllowedOrigins: []string{"*"}, + AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, + AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"}, + ExposedHeaders: []string{"Link"}, + AllowCredentials: false, + MaxAge: 300, + }) + } + // In production, the web UI is server-rendered so cross-origin + // requests are not expected. Return a no-op middleware. + return func(next http.Handler) http.Handler { + return next + } } // RequireAuth returns middleware that checks for a valid session.