Skip to content

security: Restrict CORS Wildcard Origin with Configurable Host Filter #284#288

Open
krsatyamthakur-droid wants to merge 1 commit into
volcano-sh:mainfrom
krsatyamthakur-droid:fix-cors-wildcard
Open

security: Restrict CORS Wildcard Origin with Configurable Host Filter #284#288
krsatyamthakur-droid wants to merge 1 commit into
volcano-sh:mainfrom
krsatyamthakur-droid:fix-cors-wildcard

Conversation

@krsatyamthakur-droid
Copy link
Copy Markdown

@krsatyamthakur-droid krsatyamthakur-droid commented May 29, 2026

What this PR does 🚀

Hey folks! This PR fixes a security issue where our backend was allowing any origin (*) to access the dashboard API. This permissive configuration could have exposed us to Cross-Site Request Forgery (CSRF) attacks, especially since we work with sensitive Kubernetes data.

How it was fixed 🛠️

I updated the CORS initialization to use a safe, configurable approach:

  • We now check for an ALLOWED_ORIGINS environment variable in configs.ts.
  • If no environment variable is provided, it safely defaults to our standard local development origins (http://localhost:3000 and http://localhost:5173).
  • I also enabled credentials: true to ensure standard authenticated requests work seamlessly across allowed domains.

Related Issue 🔗

Fixes #284

Testing Done ✅

  • Verified that API requests from unauthorized domains are correctly rejected by CORS.
  • Verified that the dashboard still functions perfectly on localhost without any changes needed on the frontend.
  • Ran Prettier to ensure the formatting matches our codebase perfectly.

@volcano-sh-bot
Copy link
Copy Markdown
Contributor

volcano-sh-bot commented May 29, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign william-wang for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the CORS configuration to restrict allowed origins using a new AllowedOrigins configuration, enabling credentials support, and reformats the affected files. A review comment suggests improving the robustness of parsing the ALLOWED_ORIGINS environment variable by trimming whitespace and filtering out empty values to prevent potential CORS failures.

Comment thread packages/trpc/server/utils/configs.ts
@krsatyamthakur-droid
Copy link
Copy Markdown
Author

krsatyamthakur-droid commented Jun 2, 2026

Hi @JesseStutler,
I've submitted the changes for this PR. Could you please review it when you have a chance? Thanks!

@krsatyamthakur-droid
fix(security): restrict CORS wildcard origin with configurable host f…
8a99b56 
…ilter

Signed-off-by: satyam kumar <krsatyamthakur@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@de6p de6p Awaiting requested review from de6p

@JesseStutler JesseStutler Awaiting requested review from JesseStutler

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: Restrict CORS Wildcard Origin with Configurable Host Filter

2 participants

@krsatyamthakur-droid @volcano-sh-bot