CORS is wide open on the server with no origin restrictions#12
Open
CORS is wide open on the server with no origin restrictions#12
Conversation
Remove the unconfigured `cors()` middleware that was setting `Access-Control-Allow-Origin: *` on all routes, allowing any website to make cross-origin requests to the server. CORS is unnecessary for this server because: - The primary client is the Tauri desktop app, which doesn't use browser fetch and is unaffected by CORS - The auth callback HTML page is served directly by the server itself (same-origin), so no cross-origin access is needed - The /health and /metrics endpoints have no legitimate browser cross-origin consumers Removing CORS entirely is the most secure option. If cross-origin browser access is needed in the future, CORS can be re-added with an explicit origin allowlist. SUSTN-Task: 950c7bb2-9bba-4e03-9319-4a5b88c71b54
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Ghvstcode
commented
Mar 28, 2026
| const app = new Hono<{ Bindings: Bindings }>(); | ||
|
|
||
| app.use("*", logger()); | ||
| app.use("*", cors()); |
Owner
Author
There was a problem hiding this comment.
This makes no sense? we are just removing CORS instead of whityelisting the URLS?
Ghvstcode
commented
Mar 29, 2026
| @@ -1,5 +1,4 @@ | |||
| import { Hono } from "hono"; | |||
| import { cors } from "hono/cors"; | |||
Owner
Author
There was a problem hiding this comment.
Thanks for the feedback!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SUSTN Auto-PR
The server in
server/src/index.ts:8appliescors()middleware with no configuration, which meansAccess-Control-Allow-Origin: *is set on all routes. This allows any website to make authenticated requests to the SUSTN server endpoints — including the metrics ingestion endpoint which accepts a Bearer token.While the desktop app communicates directly with the server (not through a browser), the auth callback page IS served in a browser during the OAuth flow. An attacker could create a malicious webpage that, if a SUSTN user visits it, could submit crafted metric events to the server using a stolen or guessed token, or probe the auth endpoints.
The fix should restrict CORS origins to only the domains that legitimately need access. For the auth callback HTML page, the server URL itself should be allowed. For the metrics endpoint called from the Tauri app, CORS isn't needed at all since it's not a browser request. Consider either removing CORS entirely (since the primary client is a desktop app, not a browser) or restricting it to the server's own origin for the auth callback flow.
Branch:
sustn/cors-is-wide-open-on-the-server-with-no-origin-restrictions