sneak/webhooker
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases Wiki Activity

CORS allows wildcard origin (*) - placeholder left from template #23

New Issue
Closed
opened 2026-03-02 01:29:07 +01:00 by clawbot · 0 comments
clawbot commented 2026-03-02 01:29:07 +01:00
Collaborator
Copy Link

Bug

The CORS middleware in internal/middleware/middleware.go allows all origins with a wildcard:

func (s *Middleware) CORS() func(http.Handler) http.Handler {
    return cors.Handler(cors.Options{
        // CHANGEME! these are defaults, change them to suit your needs or
        // read from environment/viper.
        AllowedOrigins: []string{"*"},

The CHANGEME! comment indicates this is a placeholder default that was never updated.

While AllowCredentials: false mitigates the worst cross-origin cookie attacks, wildcard CORS still means any site can read responses from webhooker's public endpoints (healthcheck, webhook receiver responses).

For a webhook proxy that handles sensitive payload data, CORS should either:

  • Be restricted to specific origins (the management UI's domain)
  • Not include any CORS headers at all (the default for browsers is to block cross-origin requests)

Fix

Remove the wildcard CORS or make it configurable:

AllowedOrigins: []string{},  // No cross-origin access by default

Or read from config:

AllowedOrigins: s.params.Config.CORSOrigins,

Category

Should-fix for security.

## Bug The CORS middleware in `internal/middleware/middleware.go` allows all origins with a wildcard: ```go func (s *Middleware) CORS() func(http.Handler) http.Handler { return cors.Handler(cors.Options{ // CHANGEME! these are defaults, change them to suit your needs or // read from environment/viper. AllowedOrigins: []string{"*"}, ``` The `CHANGEME!` comment indicates this is a placeholder default that was never updated. While `AllowCredentials: false` mitigates the worst cross-origin cookie attacks, wildcard CORS still means any site can read responses from webhooker's public endpoints (healthcheck, webhook receiver responses). For a webhook proxy that handles sensitive payload data, CORS should either: - Be restricted to specific origins (the management UI's domain) - Not include any CORS headers at all (the default for browsers is to block cross-origin requests) ## Fix Remove the wildcard CORS or make it configurable: ```go AllowedOrigins: []string{}, // No cross-origin access by default ``` Or read from config: ```go AllowedOrigins: s.params.Config.CORSOrigins, ``` ## Category Should-fix for security.
clawbot added the
bot
 label 2026-03-02 01:29:07 +01:00
sneak closed this issue 2026-03-04 01:19:43 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bot

Agent's turn to work

  
merge-ready

   
needs-checks

   
needs-rebase

   
needs-review

   
needs-rework
No Label
bot
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/webhooker#23
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?