fix: relax CORS middleware to prevent 500 errors when CORS_ORIGIN is missing
Build Institutional Trader / build-and-deploy (push) Successful in 1m58s Details

This commit is contained in:
Deep Koluguri 2026-06-24 19:25:10 -04:00
parent 43ba386da9
commit 7c67786e80
1 changed files with 9 additions and 2 deletions

View File

@ -45,8 +45,15 @@ export const setupSecurity = (app) => {
}
}
// Default fallback (shouldn't reach here if CORS_ORIGIN is set or in dev mode)
callback(new Error('Not allowed by CORS'));
// Default fallback: allow if it matches our expected production domains
// or if we just want to be permissive when CORS_ORIGIN isn't configured
if (origin.includes('market.applaude.net') || origin.includes('localhost')) {
return callback(null, true);
}
// If none matched, we still don't want to throw a 500 for static assets.
// We'll allow it but CORS headers might not be optimal for true cross-origin.
callback(null, true);
}
};