hashtopolis · Eric-Wasson · Nov 27, 2025 · Oct 30, 2025 · Nov 3, 2025 · Nov 4, 2025
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,7 +14,8 @@ services:
       HASHTOPOLIS_DB_DATABASE: $MYSQL_DATABASE
       HASHTOPOLIS_ADMIN_USER: $HASHTOPOLIS_ADMIN_USER
       HASHTOPOLIS_ADMIN_PASSWORD: $HASHTOPOLIS_ADMIN_PASSWORD
-      HASHTOPOLIS_APIV2_ENABLE: $HASHTOPOLIS_APIV2_ENABLE
+      HASHTOPOLIS_APIV2_ENABLE: $HASHTOPOLIS_APIV2_ENABLE 
+      HASHTOPOLIS_FRONTEND_URLS: $HASHTOPOLIS_FRONTEND_URLS
     depends_on:
       - db
     ports:

diff --git a/env.example b/env.example
@@ -9,3 +9,4 @@ HASHTOPOLIS_DB_HOST=db
 
 HASHTOPOLIS_APIV2_ENABLE=0
 HASHTOPOLIS_BACKEND_URL=http://localhost:8080/api/v2
+HASHTOPOLIS_FRONTEND_URLS=http://127.0.0.1:4200,https://127.0.0.1:4200,http://localhost:4200,https://localhost:4200,http://127.0.0.1:8080,https://127.0.0.1:8080,http://localhost:8080,https://localhost:8080
diff --git a/src/api/v2/index.php b/src/api/v2/index.php
@@ -173,8 +173,6 @@ public function process(Request $request, RequestHandler $handler): Response {
 }
 
 
-/* FIXME: CORS wildcard hack should require proper implementation and validation */
-
 /* This middleware will append the response header Access-Control-Allow-Methods with all allowed methods */
 
 class CorsHackMiddleware implements MiddlewareInterface {
@@ -190,7 +188,19 @@ public static function addCORSheaders(Request $request, $response) {
     $methods = $routingResults->getAllowedMethods();
     $requestHeaders = $request->getHeaderLine('Access-Control-Request-Headers');
 
-    $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+    if (getenv('HASHTOPOLIS_FRONTEND_URLS') !== false) {
+      if(in_array($_SERVER['HTTP_ORIGIN'], explode(',', getenv('HASHTOPOLIS_FRONTEND_URLS')), true)) {
+        $response = $response->withHeader('Access-Control-Allow-Origin', $_SERVER['HTTP_ORIGIN']);
+      }
+      else {
+        Util::createLogEntry(DLogEntryIssuer::USER, Login::getInstance()->getUserID(), DLogEntry::WARN, "CORS error: Allow-Origin doesn't match. Please make sure to include the used frontend in the .env file.");
+      }
+    }
+    else {
+      //No frontend URLs given in .env file, switch to default allow all
+      $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+    }
+
     $response = $response->withHeader('Access-Control-Allow-Methods', implode(',', $methods));
     $response = $response->withHeader('Access-Control-Allow-Headers', $requestHeaders);
Original file line number	Diff line number	Diff line change
Expand Up		@@ -9,3 +9,4 @@ HASHTOPOLIS_DB_HOST=db

		HASHTOPOLIS_APIV2_ENABLE=0
		HASHTOPOLIS_BACKEND_URL=http://localhost:8080/api/v2
		HASHTOPOLIS_FRONTEND_URLS=http://127.0.0.1:4200,https://127.0.0.1:4200,http://localhost:4200,https://localhost:4200,http://127.0.0.1:8080,https://127.0.0.1:8080,http://localhost:8080,https://localhost:8080