Skip to content

Configure CORS allowlist via environment#1 #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zlylong wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Configure CORS allowlist via environment#1 #261

zlylong wants to merge 2 commits into from

Conversation

@zlylong
Copy link

@zlylong zlylong commented Feb 9, 2026

Motivation
Make CORS policy explicit and configurable so frontend origin changes can be updated from environment/wrangler config rather than hardcoded *.
Ensure sensible defaults for credentials, request/response headers and to reduce unsafe open CORS settings.
Description
Replace the global cors() call with an env-driven allowlist implementation in mail-worker/src/hono/hono.js that parses c.env values and normalizes origins via normalizeOrigin and parseCorsOrigins functions.
Configure the middleware origin callback to only return an allowed origin from env, and set credentials: false, allowHeaders: ['Authorization', 'Content-Type'], and exposeHeaders: ['Content-Disposition'] in the cors options.
Document a cors_origins example variable in mail-worker/wrangler.toml (commented) so deployers can supply allowed frontend domains (e.g. `[

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zlylong