torsten/miriamgemeinde
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Implementiere CORS mit Whitelist und tolerantem Fallback für fehlende Origin-Header in server.js, um die Sicherheit und Flexibilität der API zu erhöhen.

Browse Source
This commit is contained in:
Torsten Schulz (local)
2025-09-24 10:47:10 +02:00
parent bd1cf466e5
commit b1318f5a41
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
server.js
View File

@@ -21,7 +21,25 @@ const filesRouter = require('./routes/files');
const app = express(); const app = express();
const PORT = 3002; const PORT = 3002;
app.use(cors()); // CORS mit Whitelist und tolerantem Fallback für fehlende Origin-Header
const allowedOrigins = (process.env.ALLOWED_ORIGINS || '')
.split(',')
.map(s => s.trim())
.filter(Boolean);
app.use(cors({
origin: (origin, callback) => {
if (!origin) return callback(null, true); // z.B. Healthchecks/curl/Server-zu-Server
if (allowedOrigins.length === 0) return callback(null, true); // Fallback: alles erlauben
if (allowedOrigins.includes(origin)) return callback(null, true);
return callback(new Error('Not allowed by CORS'), false);
},
credentials: true,
methods: ['GET','POST','PUT','PATCH','DELETE','OPTIONS'],
allowedHeaders: ['Content-Type','Authorization']
}));
app.options('*', cors());
app.use(bodyParser.json()); app.use(bodyParser.json());
app.use('/api/auth', authRouter); app.use('/api/auth', authRouter);