Skip to content

fix: restrict CORS origins and gate webhook events endpoint#2

Merged
princemuichkine merged 2 commits into
mainfrom
cursor/at-rest-vulnerability-handling-9649
Jun 29, 2026
Merged

fix: restrict CORS origins and gate webhook events endpoint#2
princemuichkine merged 2 commits into
mainfrom
cursor/at-rest-vulnerability-handling-9649

Conversation

@cursor

@cursor cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes two security vulnerabilities found during an at-rest security scan.

1. HIGH — Wildcard CORS enables cross-origin API key abuse

All four reference servers used cors() with no origin restrictions. Any website a developer visits while running these servers could silently create checkout sessions and initiate charges (Wave, MTN, card) via cross-origin requests — abusing the merchant's secret API key.

Fix: Replace cors() with cors({ origin: appBaseUrl }) on all four servers, restricting cross-origin requests to the app's own frontend origin.

2. MEDIUM — Unauthenticated webhook event endpoint exposes payment data

GET /api/webhooks/events returned the full in-memory webhook log (transaction IDs, amounts, customer PII) with no authentication. Combined with the wildcard CORS, any website could silently exfiltrate this data.

Fix: Add optional ADMIN_TOKEN Bearer auth on the events endpoint. When ADMIN_TOKEN is set in .env, requests must include Authorization: Bearer <token>. When unset, the endpoint remains open (backward-compatible for local development).

Files changed

File Change
*/server/index.js (×4) cors()cors({ origin: appBaseUrl }), auth gate on events endpoint
*/.env.example (×4) Document optional ADMIN_TOKEN variable

Testing

  • Existing frontend demos continue to work (same-origin requests are allowed)
  • Cross-origin requests from other origins are now blocked
  • Webhook events endpoint requires Authorization: Bearer <token> header when ADMIN_TOKEN is set
Open in Web View Automation 

cursoragent and others added 2 commits June 29, 2026 10:34
- Replace wildcard cors() with cors({ origin: appBaseUrl }) on all four
  reference servers to prevent cross-origin API key abuse from arbitrary
  websites.

- Add optional ADMIN_TOKEN Bearer auth on /api/webhooks/events to prevent
  unauthenticated access to sensitive payment and customer data.

- Update .env.example files to document the new ADMIN_TOKEN variable.

Fixes: wildcard CORS + unauthenticated payment endpoints (HIGH),
unauthenticated webhook event endpoint data exposure (MEDIUM).

Co-authored-by: Babacar Diop <princemuichkine@users.noreply.github.com>
@princemuichkine princemuichkine marked this pull request as ready for review June 29, 2026 22:57
@princemuichkine princemuichkine merged commit e3acdea into main Jun 29, 2026
1 check passed
@princemuichkine princemuichkine deleted the cursor/at-rest-vulnerability-handling-9649 branch June 29, 2026 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants