Description
A HIGH severity security vulnerability exists in backend/server.js at line 15. The server uses cors('*'), which instructs browsers to allow any origin to read API responses, removing the Same-Origin Policy as a defence layer for all current and future endpoints.
Impact
Any website on the internet can make cross-origin requests to this API and read the responses. All unauthenticated endpoints are fully exposed. Any future endpoint added by any contributor is silently exposed by default with no per-origin security review, creating a permanent attack surface expansion vector as the API grows.
Steps to Reproduce
- From a page served at any origin (e.g.,
file:// or http://attacker.com), run:
fetch('http://localhost:5000/api/auth/signup', {
method: 'POST',
body: '{}',
headers: { 'Content-Type': 'application/json' }
}).then(r => r.json()).then(console.log);
- Observe the browser allows the cross-origin read and returns the full JSON response.
- Confirm the response header shows
Access-Control-Allow-Origin: *.
Expected Behaviour
Only the known frontend origin (e.g., http://localhost:5173 in dev, the production domain in prod) should appear in Access-Control-Allow-Origin. All other origins should receive a CORS policy error.
Proposed Fix
Replace cors('*') with an explicit origin allowlist driven by an environment variable.
// backend/server.js
const allowedOrigins = (process.env.ALLOWED_ORIGINS || 'http://localhost:5173')
.split(',')
.map(o => o.trim());
app.use(cors({
origin: (origin, callback) => {
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error(`CORS blocked: ${origin}`));
}
},
credentials: true,
methods: ['GET', 'POST'],
allowedHeaders: ['Content-Type'],
}));# backend/.env.sample
ALLOWED_ORIGINS=http://localhost:5173
Files affected: backend/server.js, backend/.env.sample
Labels
type:security level:intermediate gssoc:approved
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description
A HIGH severity security vulnerability exists in
backend/server.jsat line 15. The server usescors('*'), which instructs browsers to allow any origin to read API responses, removing the Same-Origin Policy as a defence layer for all current and future endpoints.Impact
Any website on the internet can make cross-origin requests to this API and read the responses. All unauthenticated endpoints are fully exposed. Any future endpoint added by any contributor is silently exposed by default with no per-origin security review, creating a permanent attack surface expansion vector as the API grows.
Steps to Reproduce
file://orhttp://attacker.com), run:Access-Control-Allow-Origin: *.Expected Behaviour
Only the known frontend origin (e.g.,
http://localhost:5173in dev, the production domain in prod) should appear inAccess-Control-Allow-Origin. All other origins should receive a CORS policy error.Proposed Fix
Replace
cors('*')with an explicit origin allowlist driven by an environment variable.Files affected:
backend/server.js,backend/.env.sampleLabels
type:securitylevel:intermediategssoc:approvedPlease assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.