fix: improve CORS configuration to handle localhost and private IPs

The CORS check was too strict for local development. Changed to: - Parse origin URL properly to extract hostname - Allow all localhost origins (any port) - Allow all 127.0.0.1 origins (loopback IP) - Allow all private network IPs (192.168.x.x, 10.x.x.x, 172.x.x.x) - Keep security by rejecting unknown origins This fixes CORS errors when accessing from http://localhost:3007 or other local addresses during web mode development. Fixes: "Not allowed by CORS" errors in web mode Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-01-30 06:12:03 +00:00 · 2026-01-18 01:45:10 +05:30
parent 4186b80a82
commit b8875f71a5
1 changed files with 10 additions and 4 deletions
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -175,11 +175,17 @@ app.use(
        return;
      }

-      // For local development, allow localhost origins
+      // For local development, allow all localhost/loopback origins (any port)
+      const url = new URL(origin);
+      const hostname = url.hostname;
      if (
-        origin.startsWith('http://localhost:') ||
-        origin.startsWith('http://127.0.0.1:') ||
-        origin.startsWith('http://[::1]:')
+        hostname === 'localhost' ||
+        hostname === '127.0.0.1' ||
+        hostname === '::1' ||
+        hostname === '0.0.0.0' ||
+        hostname.startsWith('192.168.') ||
+        hostname.startsWith('10.') ||
+        hostname.startsWith('172.')
      ) {
        callback(null, origin);
        return;