@@ -54,12 +54,12 @@ const allowHeaders = ["Content-Type", "Authorization", "x-project-id", "Access-C
5454
5555// CORS must be first so OPTIONS preflights are answered before any other
5656// middleware (rate limiter, CSRF, auth) can return a response without headers.
57- // const publicCors = cors({
58- // origin: "*",
59- // credentials: true ,
60- // allowMethods,
61- // allowHeaders,
62- // });
57+ const publicCors = cors ( {
58+ origin : "*" ,
59+ credentials : false ,
60+ allowMethods,
61+ allowHeaders,
62+ } ) ;
6363
6464// const privateCors = cors({
6565// origin: ["https://developers-italia.vercel.app", ...whitelist],
@@ -68,9 +68,10 @@ const allowHeaders = ["Content-Type", "Authorization", "x-project-id", "Access-C
6868// allowHeaders,
6969// });
7070
71- if ( ! process . env . CORS_AT_INGRESS ) {
72- app . use ( "*" , cors ( ) ) ;
73- }
71+ // if (!process.env.CORS_AT_INGRESS) {
72+ app . use ( "*" , publicCors ) ;
73+ // }
74+
7475// if (!isDev) {
7576// app.use(`/charts/*`, publicCors);
7677// app.use(`/dashboards/*`, publicCors);
@@ -114,13 +115,13 @@ app.use("/auth/*", rateLimiter({
114115
115116
116117// // CSRF protection
117- // app.use(
118- // csrf({
119- // origin: isDev
120- // ? ["http://localhost:3000", "http://localhost:3003", ...whitelist]
121- // : process.env.HOST,
122- // }),
123- // );
118+ app . use (
119+ csrf ( {
120+ origin : isDev
121+ ? [ "http://localhost:3000" , "http://localhost:3003" , ...whitelist ]
122+ : process . env . HOST ,
123+ } ) ,
124+ ) ;
124125
125126// ═══════════════════════════════════════════════════════════════════════════════
126127// 🛣️ ROUTES
0 commit comments