🐛 Bug Report: Wildcard CORS Configuration Combined With Missing Cookie Security Flags Creates Unsafe Cross-Origin Session Behavior

[Ridanshi]

📜 Description

Summary

The backend currently uses a wildcard CORS policy together with insecure/default session cookie behavior.

This combination creates:

• unsafe cross-origin request behavior,
• CSRF exposure risks,
• and deployment incompatibilities once authenticated cross-origin requests are required.

---

Affected Files

backend/server.js
src/pages/Login/Login.tsx

---

Root Cause

The backend currently registers:

app.use(cors('*'));

while session cookies are created without explicit:

• sameSite
• secure
• or hardened cookie settings.

Current session configuration:

app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
}));

This produces multiple problems simultaneously:

1. Wildcard CORS

Access-Control-Allow-Origin: *

cannot safely support authenticated browser requests.

2. Missing Cookie Security Flags

Session cookies may be:

• sent cross-site,
• transmitted insecurely over HTTP,
• or behave inconsistently across browsers.

3. Future Credentialed Requests Break

If future contributors enable:

withCredentials: true

the browser will reject requests because wildcard CORS cannot be combined with credentialed cross-origin requests.

---

Security Impact

This creates multiple operational and security risks:

CSRF Exposure

Without strict SameSite handling, browsers may attach session cookies during cross-origin form submissions or navigations.

Insecure Cookie Transmission

Without:

Secure

cookies may be transmitted over plain HTTP in non-production/misconfigured deployments.

Broken Auth Behavior

The current setup prevents safe credentialed frontend/backend separation.

Any future authenticated cross-origin architecture will require breaking CORS changes.

---

Failure Scenario

Example current configuration:

Frontend → localhost:5173
Backend → localhost:5000

Once credentialed requests are enabled:

• browser rejects requests,
• session propagation breaks,
• and authentication becomes unreliable.

---

Proposed Fix

Replace wildcard CORS with an explicit origin allowlist.

Suggested approach:

app.use(cors({
  origin: process.env.FRONTEND_ORIGIN,
  credentials: true,
}));

Add hardened cookie configuration:

cookie: {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'strict',
}

Additional recommendations:

• document required frontend origin env vars,
• reject unknown origins,
• validate deployment configuration during startup.

---

Acceptance Criteria

• wildcard CORS removed
• explicit frontend allowlist configured
• credentialed requests function correctly
• session cookies include:
  • HttpOnly
  • SameSite
  • Secure (production)
• unauthorized origins rejected
• authenticated frontend/backend flow verified

---

Why This Matters

Cross-origin authentication behavior becomes extremely fragile when:

• wildcard CORS,
• browser cookies,
• and session authentication

are combined without explicit security policy design.

This issue affects:

• deployment safety,
• authentication reliability,
• and long-term frontend/backend architecture stability.