ORGANISATION-KA-INTERNATIONALE/api.konstitisyon.nu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: restreindre CORS_ORIGIN à une whitelist explicite

Browse Source 
Remplace CORS_ORIGIN=true (toutes origines autorisées) par la valeur
de production https://konstitisyon.nu dans .env.sample.
Documente également la valeur de dev local (http://localhost:3000).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Cédric Famibelle-Pronzola
2026-04-13 21:35:10 +04:00
parent 154856b2a9
commit d59972af91
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.sample
+5 -1
View File
@@ -242,7 +242,11 @@ SESSION_COOKIE_NAME="directus_session_token"
CORS_ENABLED=true CORS_ENABLED=true
# Value for the Access-Control-Allow-Origin header. Use true to match the Origin header, or provide a domain or a CSV of domains for specific access [false] # Value for the Access-Control-Allow-Origin header. Use true to match the Origin header, or provide a domain or a CSV of domains for specific access [false]
CORS_ORIGIN=true # NE PAS utiliser true en production — lister explicitement les origines autorisées
# Dev local :
# CORS_ORIGIN=http://localhost:3000
# Production :
CORS_ORIGIN=https://konstitisyon.nu
# Value for the Access-Control-Allow-Methods header [GET,POST,PATCH,DELETE] # Value for the Access-Control-Allow-Methods header [GET,POST,PATCH,DELETE]
CORS_METHODS=GET,POST,PATCH,DELETE CORS_METHODS=GET,POST,PATCH,DELETE