From 8e22ce4ba745d39b2672c0cc13023d3b0a4404ba Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 30 Apr 2026 18:23:07 +0200
Subject: [PATCH] fix(vite): restrict CORS to known origins instead of wildcard

Add explicit CORS allowlist covering localhost variants, APP_URL env
var, and the configured vite host/port pair. Replaces implicit open
CORS with regex-based origin matching.
---
 vite.config.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/vite.config.js b/vite.config.js
index 4b967c40e..6c706d272 100644
--- a/vite.config.js
+++ b/vite.config.js
@@ -17,6 +17,15 @@ export default defineConfig(({ mode }) => {
             },
             host: "0.0.0.0",
             allowedHosts: true,
+            cors: {
+                origin: [
+                    /^https?:\/\/localhost(:\d+)?$/,
+                    /^https?:\/\/127\.0\.0\.1(:\d+)?$/,
+                    /^https?:\/\/\[::1\](:\d+)?$/,
+                    ...(env.APP_URL ? [env.APP_URL] : []),
+                    ...(viteHost ? [`http://${viteHost}:${vitePort}`, `https://${viteHost}:${vitePort}`] : []),
+                ],
+            },
             origin: viteHost ? `http://${viteHost}:${vitePort}` : undefined,
             hmr: viteHost
                 ? { host: viteHost, clientPort: vitePort }