From 64c106426a2a141f67495a5195ddd1cd4571c96c Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Sat, 23 May 2026 17:24:27 +0530
Subject: [PATCH] fix(server): restrict CORS to allowed origin from env
 variable

---
 backend/.env.example | 4 ++++
 backend/server.js    | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 backend/.env.example

diff --git a/backend/.env.example b/backend/.env.example
new file mode 100644
index 00000000..b0c02ac8
--- /dev/null
+++ b/backend/.env.example
@@ -0,0 +1,4 @@
+SESSION_SECRET=your_strong_random_secret_here
+MONGO_URI=mongodb://localhost:27017/github_tracker
+PORT=5000
+CLIENT_URL=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
index e9b43f83..cb4900cf 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -14,7 +14,10 @@ const logger = require('./logger');
 const app = express();
 
 // CORS configuration
-app.use(cors('*'));
+app.use(cors({
+  origin: process.env.CLIENT_URL || 'http://localhost:5173',
+  credentials: true,
+}));
 
 // Middleware
 app.use(bodyParser.json());