StillHammer/videotomp3transcriptor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔒 Security: Remove hardcoded CORS wildcard headers

Browse Source 
- Removed manual 'Access-Control-Allow-Origin: *' setHeader calls
- Now using cors middleware with ALLOWED_ORIGINS env variable
- CORS can be restricted via environment configuration

Security improvement from Wave 2 pentest.
Date: 2026-01-26
This commit is contained in:
debian.StillHammer 2026-01-26 14:28:00 +00:00
parent 160e8d0d71
commit 9f6ac9f8ce
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/server.js
View File

@ -341,7 +341,7 @@ app.get('/download-stream', async (req, res) => {
res.setHeader('Content-Type', 'text/event-stream');
res.setHeader('Cache-Control', 'no-cache');
res.setHeader('Connection', 'keep-alive');
res.setHeader('Access-Control-Allow-Origin', '*');
const sendEvent = (event, data) => {
res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
@ -834,7 +834,7 @@ app.get('/process-stream', async (req, res) => {
res.setHeader('Content-Type', 'text/event-stream');
res.setHeader('Cache-Control', 'no-cache');
res.setHeader('Connection', 'keep-alive');
res.setHeader('Access-Control-Allow-Origin', '*');
const sendEvent = (event, data) => {
res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
@ -1295,7 +1295,7 @@ app.get('/summarize-stream', async (req, res) => {
res.setHeader('Content-Type', 'text/event-stream');
res.setHeader('Cache-Control', 'no-cache');
res.setHeader('Connection', 'keep-alive');
res.setHeader('Access-Control-Allow-Origin', '*');
const sendEvent = (event, data) => {
res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);