fix(security): remove CORS in production, dev-only allowlist (#443)

Author: DioCrafts

main.go

@@ -240,7 +240,7 @@ func main() {
 	}
 	r.Use(gin.Recovery())
 	r.Use(middleware.Logger())
-	r.Use(middleware.CORS())
+	r.Use(middleware.DevCORS(common.CORSAllowedOrigins))
 	model.InitDB()
 	if _, err := model.GetGeneralSetting(); err != nil {
 		klog.Warningf("Failed to load general setting: %v", err)

pkg/common/common.go

@@ -43,6 +43,11 @@ var (
 	DisableGZIP        = true
 	EnableVersionCheck = true
 
+	// CORSAllowedOrigins is empty by default (no CORS in production).
+	// Developers can set CORS_ALLOWED_ORIGINS=http://localhost:5173 for
+	// local Vite dev server cross-origin requests.
+	CORSAllowedOrigins []string
+
 	APIKeyProvider = "api_key"
 
 	AgentPodNamespace = "kube-system"
@@ -111,4 +116,15 @@ func LoadEnvs() {
 		Base = strings.TrimRight(v, "/")
 		klog.Infof("Using base path: %s", Base)
 	}
+
+	if v := os.Getenv("CORS_ALLOWED_ORIGINS"); v != "" {
+		origins := strings.Split(v, ",")
+		for _, o := range origins {
+			o = strings.TrimSpace(o)
+			if o != "" {
+				CORSAllowedOrigins = append(CORSAllowedOrigins, o)
+			}
+		}
+		klog.Warningf("CORS enabled for origins: %v — disable in production", CORSAllowedOrigins)
+	}
 }

pkg/middleware/cors.go

@@ -1,18 +1,57 @@
 package middleware
 
 import (
+	"net/http"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 )
 
-func CORS() gin.HandlerFunc {
+// DevCORS returns a CORS middleware that only allows explicitly configured
+// origins. In production the SPA is served from the same origin as the API
+// (go:embed), so no CORS headers are needed at all.
+//
+// Developers running the Vite dev server on a different port can set
+// CORS_ALLOWED_ORIGINS=http://localhost:5173 to enable cross-origin
+// requests during local development.
+//
+// When allowedOrigins is empty the middleware is a no-op — no CORS
+// headers are emitted and browsers enforce same-origin policy.
+func DevCORS(allowedOrigins []string) gin.HandlerFunc {
+	allowed := make(map[string]bool, len(allowedOrigins))
+	for _, o := range allowedOrigins {
+		o = strings.TrimSpace(o)
+		if o != "" {
+			allowed[strings.TrimRight(o, "/")] = true
+		}
+	}
+
 	return func(c *gin.Context) {
-		c.Writer.Header().Set("Access-Control-Allow-Origin", c.Request.Header.Get("Origin"))
+		// Fast path: no origins configured → no CORS headers (production)
+		if len(allowed) == 0 {
+			c.Next()
+			return
+		}
 
+		origin := c.Request.Header.Get("Origin")
+		if origin == "" || !allowed[origin] {
+			c.Next()
+			return
+		}
+
+		// Only set CORS headers for explicitly allowed origins
+		c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
 		c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
-		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With, X-Cluster-Name")
-		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT, DELETE")
-		if c.Request.Method == "OPTIONS" {
-			c.AbortWithStatus(204)
+		c.Writer.Header().Set("Access-Control-Allow-Headers",
+			"Content-Type, Authorization, X-Cluster-Name")
+		c.Writer.Header().Set("Access-Control-Allow-Methods",
+			"GET, POST, PUT, DELETE, PATCH, OPTIONS")
+		c.Writer.Header().Set("Access-Control-Max-Age", "86400")
+		// Vary so caches/CDNs don't serve a response with the wrong origin
+		c.Writer.Header().Add("Vary", "Origin")
+
+		if c.Request.Method == http.MethodOptions {
+			c.AbortWithStatus(http.StatusNoContent)
 			return
 		}
 		c.Next()