fix: harden CORS to allow Vercel deployments

80147bab · AravindR-K · f446c644 · 80147bab
Commit 80147bab authored Apr 08, 2026 by AravindR-K
Show whitespace changes
Inline Side-by-side

Showing with 25 additions and 10 deletions

Backend/server.js Backend/server.js +25 -10

No files found.
--- a/Backend/server.js
+++ b/Backend/server.js
@@ -13,21 +13,36 @@ connectDB();
 const app = express();

 // Middleware
-app.use(cors({
-  origin: function (origin, callback) {
-    const allowed = [
+const allowedOrigins = [
  'http://localhost:4200',
+  'http://localhost:3000',
  process.env.FRONTEND_URL
-    ];
-    // Allow any origin that ends with 'vercel.app' or is directly allowed
-    if (!origin || allowed.includes(origin) || origin.endsWith('vercel.app')) {
-      callback(null, true);
-    } else {
-      callback(null, false);
+].filter(Boolean);
+
+app.use(cors({
+  origin: function (origin, callback) {
+    // Allow requests with no origin (mobile apps, curl, Postman, server-to-server)
+    if (!origin) return callback(null, true);
+
+    // Allow any vercel.app previews and production deployments
+    if (origin.endsWith('.vercel.app') || origin.includes('vercel.app')) {
+      return callback(null, true);
+    }
+
+    // Allow explicitly listed origins
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
    }
+
+    // Block everything else
+    console.warn(`CORS blocked origin: ${origin}`);
+    return callback(new Error(`CORS policy: origin ${origin} not allowed`), false);
  },
-  credentials: true
+  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization']
 }));
+
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(cookieParser());