aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/server/middleware/cors.ts
diff options
context:
space:
mode:
Diffstat (limited to 'src/server/middleware/cors.ts')
-rw-r--r--src/server/middleware/cors.ts42
1 files changed, 42 insertions, 0 deletions
diff --git a/src/server/middleware/cors.ts b/src/server/middleware/cors.ts
new file mode 100644
index 0000000..ce097ac
--- /dev/null
+++ b/src/server/middleware/cors.ts
@@ -0,0 +1,42 @@
+import { cors } from "hono/cors";
+
+/**
+ * CORS middleware configuration.
+ * Uses CORS_ORIGIN environment variable to configure allowed origins.
+ * If not set, defaults to same-origin only (no CORS headers).
+ *
+ * Examples:
+ * - CORS_ORIGIN=https://kioku.example.com (single origin)
+ * - CORS_ORIGIN=https://example.com,https://app.example.com (multiple origins)
+ */
+function getAllowedOrigins(): string[] {
+ const origins = process.env.CORS_ORIGIN;
+ if (!origins) {
+ return [];
+ }
+ return origins.split(",").map((o) => o.trim());
+}
+
+export function createCorsMiddleware() {
+ const allowedOrigins = getAllowedOrigins();
+
+ // If no origins configured, don't add CORS headers
+ if (allowedOrigins.length === 0) {
+ return cors({
+ origin: () => "",
+ });
+ }
+
+ return cors({
+ origin: allowedOrigins,
+ allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+ allowHeaders: ["Content-Type", "Authorization"],
+ exposeHeaders: [
+ "RateLimit-Limit",
+ "RateLimit-Remaining",
+ "RateLimit-Reset",
+ ],
+ maxAge: 86400, // 24 hours
+ credentials: true,
+ });
+}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-01-16 03:06:42 +0000