From d59972af91f14073e76ae08a75c98ea7e41e2a5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20FAMIBELLE-PRONZOLA?= <c.pronzola@tuta.io>
Date: Mon, 13 Apr 2026 21:35:10 +0400
Subject: [PATCH] =?UTF-8?q?security:=20restreindre=20CORS=5FORIGIN=20?=
 =?UTF-8?q?=C3=A0=20une=20whitelist=20explicite?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remplace CORS_ORIGIN=true (toutes origines autorisées) par la valeur
de production https://konstitisyon.nu dans .env.sample.
Documente également la valeur de dev local (http://localhost:3000).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .env.sample | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.env.sample b/.env.sample
index 4789ad6..447ef21 100644
--- a/.env.sample
+++ b/.env.sample
@@ -242,7 +242,11 @@ SESSION_COOKIE_NAME="directus_session_token"
 CORS_ENABLED=true
 
 # Value for the Access-Control-Allow-Origin header. Use true to match the Origin header, or provide a domain or a CSV of domains for specific access [false]
-CORS_ORIGIN=true
+# NE PAS utiliser true en production — lister explicitement les origines autorisées
+# Dev local :
+# CORS_ORIGIN=http://localhost:3000
+# Production :
+CORS_ORIGIN=https://konstitisyon.nu
 
 # Value for the Access-Control-Allow-Methods header [GET,POST,PATCH,DELETE]
 CORS_METHODS=GET,POST,PATCH,DELETE