From 03028d0df95e06efea9f925e0061f158e4f55a54 Mon Sep 17 00:00:00 2001
From: Naman Singh <naman.2002.as@gmail.com>
Date: Wed, 27 May 2026 19:13:36 +0530
Subject: [PATCH] fix: resolve CORS misconfiguration vulnerability with
 allow_origins wildcard

Critical security fix: Using allow_origins=['*'] with allow_credentials=True
violates the CORS specification and allows any external website to make
authenticated requests to the API. This enables cross-origin credential
leakage attacks where malicious sites can exfiltrate user data.

The fix:
- Moves allowed origins to Settings.CORS_ORIGINS config
- Restricts to specific development origins (localhost:5173, localhost:3000)
- Allows easy configuration via .env for production deployments
---
 backend/app/config.py | 8 ++++++++
 backend/app/main.py   | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/app/config.py b/backend/app/config.py
index 84c2825..6e9ef3b 100644
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -30,6 +30,14 @@ class Settings(BaseSettings):
     SUPABASE_KEY: str = ""
     SUPABASE_BUCKET_NAME: str = "resumes"
 
+    # CORS
+    CORS_ORIGINS: list[str] = [
+        "http://localhost:5173",
+        "http://localhost:3000",
+        "http://127.0.0.1:5173",
+        "http://127.0.0.1:3000",
+    ]
+
     # Piston (code execution)
     PISTON_URL: str = "http://localhost:2000"
 
diff --git a/backend/app/main.py b/backend/app/main.py
index 1e49fd4..6e90964 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -45,7 +45,7 @@ async def lifespan(_: FastAPI) -> AsyncGenerator[None, None]:
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=settings.CORS_ORIGINS,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],