improved CORS

CodeShellDev · CodeShellDev · commit 217dd36b6a92 · 2026-03-21T12:29:33.000+01:00
* added Vary header
* ACA headers are sent regardless of ACR headers
* ACA-Headers returns all allowed headers not just matching ones
diff --git a/data/defaults.yml b/data/defaults.yml
@@ -63,4 +63,10 @@ settings:
     cors:
       methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
       headers:
-        ["Content-Type", "Authorization", "Accept", "Accept-Language", "Origin"]
+        [
+          "Content-Type",
+          "Content-Language",
+          "Authorization",
+          "Accept",
+          "Accept-Language",
+        ]
diff --git a/internals/proxy/middlewares/cors.go b/internals/proxy/middlewares/cors.go
@@ -3,7 +3,6 @@ package middlewares
 import (
 	"net/http"
 	"net/url"
-	"slices"
 	"strings"
 
 	"github.com/codeshelldev/secured-signal-api/internals/config"
@@ -47,48 +46,26 @@ func corsHandler(next http.Handler) http.Handler {
 
 		w.Header().Set("Access-Control-Allow-Origin", origin)
 
+		// add Origin header to Vary (if needed)
+		if w.Header().Get("Vary") != "*" {
+			w.Header().Add("Vary", "Origin")
+		}
+
 		// CORS preflight request
 		if req.Method == "OPTIONS" {
-			requestedMethod := req.Header.Get("Access-Control-Request-Method")
+			allowedMethods := matchingOrigin.Methods.ValueOrFallback(defaultMethods)
 
-			if requestedMethod != "" {
-				allowedMethods := matchingOrigin.Methods.ValueOrFallback(defaultMethods)
-
-				if len(allowedMethods) != 0 {
-					// only set if any (matching) methods
-					w.Header().Set("Access-Control-Allow-Methods", strings.Join(allowedMethods, ","))
-				}
+			if len(allowedMethods) != 0 {
+				// only set if any methods
+				w.Header().Set("Access-Control-Allow-Methods", strings.Join(allowedMethods, ","))
 			}
 
-			requestedHeaders := req.Header.Get("Access-Control-Request-Headers")
-
-			if requestedHeaders != "" {
-				allowedHeaders := matchingOrigin.Headers.ValueOrFallback(defaultHeaders)
-
-				matchingHeaders := []string{}
-
-				// echo back allowed and requested headers
-				for header := range strings.SplitSeq(requestedHeaders, ",") {
-					header = strings.TrimSpace(header)
-
-					var match string
-
-					if slices.ContainsFunc(allowedHeaders, func(allowed string) bool {
-						if strings.EqualFold(header, allowed) {
-							match = allowed
-							return true
-						}
 
-						return false
-					}) {
-						matchingHeaders = append(matchingHeaders, match)
-					}
-				}
+			allowedHeaders := matchingOrigin.Headers.ValueOrFallback(defaultHeaders)
 
-				if len(matchingHeaders) != 0 {
-					// only set if any (matching) headers
-					w.Header().Set("Access-Control-Allow-Headers", strings.Join(matchingHeaders, ","))
-				}
+			if len(allowedHeaders) != 0 {
+				// only set if any headers
+				w.Header().Set("Access-Control-Allow-Headers", strings.Join(allowedHeaders, ","))
 			}
 
 			w.WriteHeader(http.StatusNoContent)
