From 9f6ac9f8ce788ad9d455f5e1483f96320daeb1d7 Mon Sep 17 00:00:00 2001 From: "debian.StillHammer" Date: Mon, 26 Jan 2026 14:28:00 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Security:=20Remove=20hardcoded?= =?UTF-8?q?=20CORS=20wildcard=20headers?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed manual 'Access-Control-Allow-Origin: *' setHeader calls - Now using cors middleware with ALLOWED_ORIGINS env variable - CORS can be restricted via environment configuration Security improvement from Wave 2 pentest. Date: 2026-01-26 --- src/server.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/server.js b/src/server.js index 842bf8e..5d3f08f 100644 --- a/src/server.js +++ b/src/server.js @@ -341,7 +341,7 @@ app.get('/download-stream', async (req, res) => { res.setHeader('Content-Type', 'text/event-stream'); res.setHeader('Cache-Control', 'no-cache'); res.setHeader('Connection', 'keep-alive'); - res.setHeader('Access-Control-Allow-Origin', '*'); + const sendEvent = (event, data) => { res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`); @@ -834,7 +834,7 @@ app.get('/process-stream', async (req, res) => { res.setHeader('Content-Type', 'text/event-stream'); res.setHeader('Cache-Control', 'no-cache'); res.setHeader('Connection', 'keep-alive'); - res.setHeader('Access-Control-Allow-Origin', '*'); + const sendEvent = (event, data) => { res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`); @@ -1295,7 +1295,7 @@ app.get('/summarize-stream', async (req, res) => { res.setHeader('Content-Type', 'text/event-stream'); res.setHeader('Cache-Control', 'no-cache'); res.setHeader('Connection', 'keep-alive'); - res.setHeader('Access-Control-Allow-Origin', '*'); + const sendEvent = (event, data) => { res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);