From cd917454604a5bd3391de49f42b302617254d86a Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 05:14:32 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20secure=20CORS=20configuration=20?=
 =?UTF-8?q?by=20requiring=20whitelist=20in=20production?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Removed insecure fallback to localhost domains in non-development environments.
- App now throws an error on startup if CORS_WHITELIST is not provided when NODE_ENV is not 'development'.
- Preserved existing defaults for development environment to maintain developer workflow.

Co-authored-by: ragsav <45696355+ragsav@users.noreply.github.com>
---
 apps/backend/environment.js | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/apps/backend/environment.js b/apps/backend/environment.js
index d57f3a0..e93ea9c 100644
--- a/apps/backend/environment.js
+++ b/apps/backend/environment.js
@@ -26,15 +26,23 @@ const environmentVariables = {
   LOG_LEVEL: process.env.LOG_LEVEL || "info",
   LOG_FILE_SIZE: process.env.LOG_FILE_SIZE || 1,
   EXPRESS_REQUEST_SIZE_LIMIT: process.env.EXPRESS_REQUEST_SIZE_LIMIT || "5mb",
-  CORS_WHITELIST: process.env.CORS_WHITELIST
-    ? process.env.CORS_WHITELIST.split(",")
-    : [
+  CORS_WHITELIST: (() => {
+    if (process.env.CORS_WHITELIST) {
+      return process.env.CORS_WHITELIST.split(",");
+    }
+    if (env === "development") {
+      return [
         "http://localhost:3000",
         "http://localhost:5173",
         "http://127.0.0.1:3000",
         "http://127.0.0.1:3001",
         "http://localhost:3001",
-      ],
+      ];
+    }
+    throw new Error(
+      "CORS_WHITELIST environment variable is required in non-development environments"
+    );
+  })(),
 };
 console.log("environment variables set-----------------------------");
 console.log(environmentVariables);