Merge pull request #450 from adityack477/fix/cors-restrict-origin

mehul-m-prajapati · web-flow · commit 45a5923dc7a1 · 2026-05-23T17:50:42.000+05:30
fix(server): restrict CORS to allowed origin from env variable
diff --git a/backend/.env.example b/backend/.env.example
@@ -0,0 +1,4 @@
+SESSION_SECRET=your_strong_random_secret_here
+MONGO_URI=mongodb://localhost:27017/github_tracker
+PORT=5000
+CLIENT_URL=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
@@ -15,7 +15,10 @@ const logger = require('./logger');
 const app = express();
 
 // CORS configuration
-app.use(cors('*'));
+app.use(cors({
+  origin: process.env.CLIENT_URL || 'http://localhost:5173',
+  credentials: true,
+}));
 
 // Middleware
 app.use(bodyParser.json());
