Harden CORS configuration for production — restrict origins, methods, and headers explicitly

[robertocarlous]

Summary

The current CORS configuration in src/middleware/corsandbody.ts likely permits broad origins or uses a permissive default. In production, CORS must be restricted to known client origins to prevent cross-site request forgery from arbitrary domains.

Proposed Solution

• Replace any wildcard or permissive CORS config with an explicit allowlist driven by env vars:

CORS_ALLOWED_ORIGINS=https://app.neurowealth.io,https://admin.neurowealth.io

• Allow only: GET, POST, PUT, DELETE, OPTIONS
• Allow only required headers: Content-Type, Authorization, Idempotency-Key, X-Correlation-ID
• Set credentials: true only for authenticated routes
• Return 403 (not just a missing header) for disallowed origins
• Validate CORS_ALLOWED_ORIGINS at startup — refuse to start if empty in production

Acceptance Criteria

• Requests from unlisted origins receive 403
• Preflight OPTIONS requests respond correctly for allowed origins
• CORS_ALLOWED_ORIGINS validated at startup; missing in NODE_ENV=production is a fatal error
• Integration tests cover allowed origin, disallowed origin, and preflight
• CORS_ALLOWED_ORIGINS documented in .env.example

[GazzyLee]

gm gm boss, I’d be happy to take this on. I can tighten the CORS configuration by implementing an environment-driven allowlist, startup validation, secure defaults for methods, headers, and credentials, along with integration tests and documentation updates. ETD is in 2 hours tops, please assign.

[Blessed-Femi]

@Blessed-Femi has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I will love to work on this issue. I work effectively and on time.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Blessed-Femi to this issue.

[Zeemnew]

@Zeemnew has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello @maintainer, I’ve gone through the requirements and I’m confident I can implement a proper solution that matches the acceptance criteria. Kindly assign this issue to me. And I will deliver at the shortest possible time.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Zeemnew to this issue.

[khanavi272-spec]

@khanavi272-spec has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @khanavi272-spec to this issue.

[BernardOnuh]

@BernardOnuh has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer, I’ve reviewed this issue and I would love to work

ℹ️ Repo Maintainers: To accept this application, review their application or assign @BernardOnuh to this issue.

[drips-wave]

Congratulations, @BernardOnuh! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @BernardOnuh: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@BernardOnuh's PR #273 was approved and merged by @robertocarlous.

🏆 @BernardOnuh: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (401 total points). Track your full progress on GrantFox.

👏 Great work, @BernardOnuh! Keep contributing to Neurowealth.

[drips-wave]

This issue has been completed by @BernardOnuh as part of the Stellar Wave Program's 6th Wave 🥳

😎 @BernardOnuh: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.