initvglidrbtgrthijl;

apps/api/src/app.ts

@@ -25,10 +25,22 @@ const app = express();
 app.set('trust proxy', 1);
 
 app.use(helmet());
+
+// CORS — поддерживаем 3 режима:
+//   1. wildcard ['*'] — любой origin (для dev/staging); credentials force=false (browser spec)
+//   2. whitelist [a, b, c] — только эти origins
+//   3. пустой массив — все cross-origin blocked (fail-secure default)
+const corsOrigins = env.cors.origins;
+const corsIsWildcard = corsOrigins.length === 1 && corsOrigins[0] === '*';
+if (corsIsWildcard) {
+  // eslint-disable-next-line no-console
+  console.warn('[CORS] WILDCARD enabled (CORS_ORIGINS=*) — any origin can call API. Use only for dev/staging. Production: use explicit whitelist.');
+}
 app.use(
   cors({
-    origin: env.cors.origins.length > 0 ? env.cors.origins : false,
-    credentials: env.cors.allowCredentials,
+    origin: corsIsWildcard ? '*' : (corsOrigins.length > 0 ? corsOrigins : false),
+    // Wildcard incompatible с credentials per browser spec — force false при wildcard.
+    credentials: corsIsWildcard ? false : env.cors.allowCredentials,
   }),
 );
 app.use(express.json({ limit: '64kb' })); // защита от больших payload-DoS