Skip to content

fix(server): restrict Socket.IO CORS to configured frontend origin [NSoC'26]#141

Merged
Shriii19 merged 1 commit into
Shriii19:masterfrom
anshul23102:fix/136-socketio-cors
Jun 1, 2026
Merged

fix(server): restrict Socket.IO CORS to configured frontend origin [NSoC'26]#141
Shriii19 merged 1 commit into
Shriii19:masterfrom
anshul23102:fix/136-socketio-cors

Conversation

@anshul23102
Copy link
Copy Markdown

@anshul23102 anshul23102 commented May 31, 2026

Description

The Socket.IO server was initialized with cors: { origin: "*" }. This allowed any third-party website to open a WebSocket connection to FlowForge from a visitor's browser, subscribe to real-time chat events, join rooms, and inject messages without any origin restriction.

Related Issue

Closes #136

Type of Change

  • Bug fix (security)

Root Cause

origin: "*" is a wildcard that permits WebSocket upgrade requests from any origin. There was no mechanism to restrict connections to the known frontend URL.

Changes Made

File Change
backend/server.js Replaced cors: { origin: "*" } with cors: { origin: ALLOWED_ORIGIN, methods: ["GET", "POST"] }
backend/server.js Added ALLOWED_ORIGIN constant read from process.env.FRONTEND_URL, defaulting to http://localhost:5173

Screenshots or Demo

Not applicable (backend-only change).

Testing Done

  • WebSocket connection from http://localhost:5173 succeeds.
  • WebSocket connection from a different origin is rejected with a CORS error.
  • Set FRONTEND_URL=https://your-production-domain.com in .env for production deployments.

Checklist

  • I have read the CONTRIBUTING.md and followed its guidelines
  • My code follows the style and formatting of this project
  • I have tested my changes locally and they work as expected
  • No unnecessary files modified outside the scope of this issue
  • There are no merge conflicts with the base branch
  • This PR is linked to the correct issue
  • I have not used any AI-generated content in this PR

NSoC Label Request

@Shriii19 could you please add the appropriate NSoC '26 label to this PR? It helps with tracking and scoring. Thank you!

@anshul23102
fix(server): restrict Socket.IO CORS to configured frontend origin [N…
58deeea 
…SoC'26]

cors: { origin: '*' } allowed any website to open a WebSocket upgrade
request to the FlowForge server. A malicious third-party page could
join rooms, receive real-time chat events, or inject messages through
a visitor's active browser session without any origin restriction.

Replaced the wildcard with ALLOWED_ORIGIN sourced from the FRONTEND_URL
environment variable (defaults to http://localhost:5173 for local
development). Added methods: ['GET', 'POST'] to the cors config for
explicit control.

Closes Shriii19#136
@vercel
Copy link
Copy Markdown

vercel Bot commented May 31, 2026

@anshul23102 is attempting to deploy a commit to the shreemp194-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

👋 Thank you for opening this pull request! I will review your changes and assist you soon.

@anshul23102 anshul23102 mentioned this pull request May 31, 2026
Closed
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
flow-forge Ready Ready Preview, Comment Jun 1, 2026 4:52pm

@Shriii19 Shriii19 merged commit 7403c92 into Shriii19:master Jun 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

level3 NSoC'26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Level 2] backend/server.js: Socket.IO CORS is set to origin:* allowing connections from any website

2 participants

@anshul23102 @Shriii19