fix: improve cors security

mandrasch · Feb 5, 2025 · 7d8453c · 7d8453c
1 parent 02614b5
commit 7d8453c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -157,8 +157,9 @@ web_extra_exposed_ports:
         strictPort = true,
         // origin is important, see https://nystudio107.com/docs/vite/#vite-processed-assets
         origin: `${process.env.DDEV_PRIMARY_URL}:5173`
-        // Configure CORS for the dev server (security)
-       cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(localhost|\.site)(?::\d+)?$/ },
+        // Configure CORS securely for the Vite dev server to allow requests
+      // from *.ddev.site domains, supports additional hostnames (via regex)
+      cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(\.ddev\.site)(?::\d+)?$/ },
     },
 ```
 

diff --git a/vite.config.js b/vite.config.js
@@ -49,16 +49,15 @@ export default ({ command }) => ({
     },
     // adjustments for ddev:
     server: {
-        // respond to all network requests:
+        // Respond to all network requests
         host: '0.0.0.0',
         port: port,
         strictPort: true,
         // origin is important, see https://nystudio107.com/docs/vite/#vite-processed-assets
         origin: origin,
-        // Configure CORS for devserver (security)
-        cors: {
-            origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(localhost|\.site)(?::\d+)?$/
-        },
+        // Configure CORS securely for the Vite dev server to allow requests
+        // from *.ddev.site domains, supports additional hostnames (via regex)
+        cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(\.ddev\.site)(?::\d+)?$/ },
     },
     plugins: [
         ViteRestart({