fix: optimize cores headers (#5629)

This commit enhances two aspects of CORS: - Always support CORS preflight requests. - Do not add additional secuity headers for prefligh calls.
2025-04-24 01:18:01 +02:00 · 2023-12-13 16:12:17 +01:00 · 2023-12-13 16:12:17 +01:00 · 4618a52014
commit 4618a52014
parent adb9ba5c09
4 changed files with 10 additions and 10 deletions
--- a/src/lib/app.ts
+++ b/src/lib/app.ts
@ -102,10 +102,7 @@ export default async function getApp(
    // so this must be handled before the API token middleware.
    app.options(
        `${baseUriPath}/api/frontend*`,
-        conditionalMiddleware(
+        corsOriginMiddleware(services, config),
            () => config.flagResolver.isEnabled('embedProxy'),
            corsOriginMiddleware(services, config),
        ),
    );
    app.use(baseUriPath, patMiddleware(config, services));
--- a/src/lib/middleware/conditional-middleware.ts
+++ b/src/lib/middleware/conditional-middleware.ts
@ -7,7 +7,6 @@ export const conditionalMiddleware = (
    const router = Router();
    router.use((req, res, next) => {
        res.setHeader('Vary', 'Origin');
        if (condition()) {
            middleware(req, res, next);
        } else {
--- a/src/lib/middleware/cors-origin-middleware.ts
+++ b/src/lib/middleware/cors-origin-middleware.ts
@ -19,7 +19,7 @@ export const corsOriginMiddleware = (
    { proxyService }: Pick<IUnleashServices, 'proxyService'>,
    config: IUnleashConfig,
 ): RequestHandler => {
-    return cors(async (req, callback) => {
+    const corsFunc = cors(async (req, callback) => {
        try {
            const { frontendApiOrigins = [] } =
                await proxyService.getFrontendSettings();
@ -33,4 +33,8 @@ export const corsOriginMiddleware = (
            callback(error);
        }
    });
    return (req, res, next) => {
        res.setHeader('Vary', 'Origin');
        corsFunc(req, res, next);
    };
 };
--- a/src/lib/middleware/secure-headers.ts
+++ b/src/lib/middleware/secure-headers.ts
@ -116,11 +116,11 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
        });
        return (req, res, next) => {
-            const stripHeadersOnAPI =
+            if (req.method === 'OPTIONS') {
-                config.flagResolver.isEnabled('stripHeadersOnAPI');
+                return next();
-            if (
+            } else if (
                req.path.startsWith(`${config.server.baseUriPath}/api/`) &&
-                stripHeadersOnAPI
+                config.flagResolver.isEnabled('stripHeadersOnAPI')
            ) {
                apiHelmet(req, res, next);
            } else {