📜 Description
The backend uses a wildcard * to allow any origin to communicate with the server. However, immediately below this line, the application configures and relies on express-session and passport for stateful cookie-based session tracking (passport.session()).
By allowing a global origin wildcard alongside credentialed state tracking, it creates a massive opening for Cross-Site Request Forgery (CSRF) and credential-sharing complications. Modern web browsers will reject requests that attempt to pass matching authentication cookies when CORS is explicitly configured to a reckless wildcard state.
Proposed Solution:
Restrict allowed origins using an environment variable managed inside .env so that only the designated frontend URL can access database-altering routes.
// backend/server.js
const corsOptions = {
origin: process.env.FRONTEND_URL || 'http://localhost:5173',
credentials: true
};
app.use(cors(corsOptions));
i would like to work on this issue .I am a contributor participating in GSSoC 2026 and I want to contribute to this project. Please assign this task to me!
What browsers are you seeing the problem on?
No response
📃 Relevant Screenshots (Links)
No response
📜 Description
The backend uses a wildcard * to allow any origin to communicate with the server. However, immediately below this line, the application configures and relies on express-session and passport for stateful cookie-based session tracking (passport.session()).
By allowing a global origin wildcard alongside credentialed state tracking, it creates a massive opening for Cross-Site Request Forgery (CSRF) and credential-sharing complications. Modern web browsers will reject requests that attempt to pass matching authentication cookies when CORS is explicitly configured to a reckless wildcard state.
Proposed Solution:
Restrict allowed origins using an environment variable managed inside .env so that only the designated frontend URL can access database-altering routes.
// backend/server.js
const corsOptions = {
origin: process.env.FRONTEND_URL || 'http://localhost:5173',
credentials: true
};
app.use(cors(corsOptions));
i would like to work on this issue .I am a contributor participating in GSSoC 2026 and I want to contribute to this project. Please assign this task to me!
What browsers are you seeing the problem on?
No response
📃 Relevant Screenshots (Links)
No response