fix: tighten API CORS policy to trusted origins#90
fix: tighten API CORS policy to trusted origins#90224599437 wants to merge 1 commit intothoth-tech:10.0.xfrom
Conversation
Replace wildcard CORS behavior with whitelist validation and restrict allowed headers/methods so only trusted frontend origins can make cross-origin API requests. Made-with: Cursor
|
I’ve reviewed and tested the changes, and the behaviour aligns with the intended fix: Requests with an untrusted Origin (e.g. http://evil.com) are correctly not granted with wildcard Access-Control-Allow-Origin: * or reflected back. The removal of wildcard CORS headers from api_root.rb and the introduction of a strict origin allowlist in application.rb is a solid approach and significantly reduces the risk of CSRF-like abuse via cross-origin browser requests. Postman Screenshot verification: Postman Screenshot: Example.com domain Localhost:4200 Screenshot |
|
Tested locally. Untrusted origin (evil.com) no longer receives Access-Control-Allow-Origin. Trusted origin (localhost:4200) is correctly allowed. CORS misconfiguration successfully remediated. 
|
SteveDala
left a comment
SteveDala
left a comment
There was a problem hiding this comment.
Looks good to me and seems to be a sensible change to the security of the application.
@224599437 please open an upstream pull request (against doubtfire-api)
4 participants
Description
This fix addresses a misconfigured CORS policy that allowed any external origin to make cross-origin requests to the Doubtfire API. Previously, the server responded with Access-Control-Allow-Origin: * and accepted any headers and methods, meaning malicious websites could send requests to the API via a victim's browser.
Changes made:
doubtfire-api/config/application.rb
Replaced the wildcard origins '*' with a strict origin allowlist
Default trusted origins include http://localhost:4200 and https://#{config.institution[:host]}
Added optional override via CORS_ALLOWED_ORIGINS environment variable (comma-separated)
Added explicit Origin validation logic that checks the incoming Origin header against the allowlist before permitting CORS
Restricted allowed headers to: Content-Type, Authorization, Accept
Restricted allowed methods to: GET, POST, PUT, DELETE, OPTIONS
doubtfire-api/app/api/api_root.rb
Removed manual wildcard CORS headers from the API before block (Access-Control-Allow-Origin: * and Access-Control-Request-Method: *)
Request IP thread variable logic was left untouched
Fixes # (CORS misconfiguration issue)
Type of change
Bug fix (non-breaking change which fixes an issue)
How Has This Been Tested?
The fix was verified using Burp Suite Repeater and curl from a Kali Linux machine targeting the Windows-hosted API.
Test 1 — Untrusted origin is blocked:
Sent GET /api/activity_types HTTP/1.1 with header Origin: https://evil.com
Confirmed response does not return Access-Control-Allow-Origin: * or echo back evil.com
Test 2 — Trusted origin is allowed:
Sent same request with header Origin: http://localhost:4200
Confirmed response returns Access-Control-Allow-Origin: http://localhost:4200
curl command used:
bashcurl -X GET http://localhost:3000/api/activity_types
-H "Origin: https://evil.com"
-H "Accept: application/json"
-v 2>&1 | grep -i "access-control"
Checklist:
My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation if appropriate
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
I have created or extended unit tests to address my new additions
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules