fix(vite): restrict CORS to known origins instead of wildcard
Add explicit CORS allowlist covering localhost variants, APP_URL env var, and the configured vite host/port pair. Replaces implicit open CORS with regex-based origin matching.
This commit is contained in:
Andras Bacsai
parent
1f1fe1f184
commit
8e22ce4ba7
1 changed files with 9 additions and 0 deletions
|
|
@ -17,6 +17,15 @@ export default defineConfig(({ mode }) => {
|
|||
},
|
||||
host: "0.0.0.0",
|
||||
allowedHosts: true,
|
||||
cors: {
|
||||
origin: [
|
||||
/^https?:\/\/localhost(:\d+)?$/,
|
||||
/^https?:\/\/127\.0\.0\.1(:\d+)?$/,
|
||||
/^https?:\/\/\[::1\](:\d+)?$/,
|
||||
...(env.APP_URL ? [env.APP_URL] : []),
|
||||
...(viteHost ? [`http://${viteHost}:${vitePort}`, `https://${viteHost}:${vitePort}`] : []),
|
||||
],
|
||||
},
|
||||
origin: viteHost ? `http://${viteHost}:${vitePort}` : undefined,
|
||||
hmr: viteHost
|
||||
? { host: viteHost, clientPort: vitePort }
|
||||
|
|
|
|||
Loading…
Reference in a new issue