fix(vite): restrict CORS to known origins instead of wildcard

Add explicit CORS allowlist covering localhost variants, APP_URL env var, and the configured vite host/port pair. Replaces implicit open CORS with regex-based origin matching.
2026-06-13 19:09:50 +00:00 · 2026-04-30 18:23:07 +02:00
parent 1f1fe1f184
commit 8e22ce4ba7
1 changed files with 9 additions and 0 deletions
@@ -17,6 +17,15 @@ export default defineConfig(({ mode }) => {
            },
            host: "0.0.0.0",
            allowedHosts: true,
+            cors: {
+                origin: [
+                    /^https?:\/\/localhost(:\d+)?$/,
+                    /^https?:\/\/127\.0\.0\.1(:\d+)?$/,
+                    /^https?:\/\/\[::1\](:\d+)?$/,
+                    ...(env.APP_URL ? [env.APP_URL] : []),
+                    ...(viteHost ? [`http://${viteHost}:${vitePort}`, `https://${viteHost}:${vitePort}`] : []),
+                ],
+            },
            origin: viteHost ? `http://${viteHost}:${vitePort}` : undefined,
            hmr: viteHost
                ? { host: viteHost, clientPort: vitePort }