CORS Configuration Security Hardening (v0.1.5)

CORS Configuration Security Hardening

Released in: v0.1.5
Compliance control: ISO-03 (ISO 27001)

Overview

Prior to v0.1.5, the platform's API endpoints — including the REST API v1 at /api/v1/ — had no explicit Cross-Origin Resource Sharing (CORS) policy. Without explicit Access-Control-Allow-Origin headers defined in next.config.ts or middleware.ts, CORS behaviour was determined by Next.js framework defaults. This could permit unintended cross-origin access from browser-based clients.

v0.1.5 remediated this by introducing an explicit CORS configuration aligned with the platform's intended API usage patterns.

What Changed

REST API v1 (`/api/v1/`)

The REST API v1 is designed exclusively for server-to-server integrations (e.g. your internal compliance tooling calling the sanctions screening API directly). Browser-based cross-origin requests to these endpoints are not an intended use case.

CORS headers are now explicitly set to restrict access to a defined allowlist of permitted origins. Wildcard (*) origins are not used.

Other API Endpoints

All other API endpoints that previously lacked an explicit policy have been reviewed and now carry appropriate CORS headers.

NextAuth Endpoints

No changes were made to NextAuth-managed routes. CORS for authentication endpoints continues to be handled internally by the NextAuth library and is not affected by this configuration.

Configuration

CORS policy is enforced either via the headers() function in next.config.ts or via a middleware function in middleware.ts. Allowed origins are controlled through environment configuration — do not set Access-Control-Allow-Origin: * for API v1 endpoints in any environment.

Example — Restricting API v1 Origins

// next.config.ts (illustrative)
async headers() {
  return [
    {
      source: '/api/v1/:path*',
      headers: [
        {
          key: 'Access-Control-Allow-Origin',
          value: process.env.ALLOWED_ORIGIN ?? '',  // explicit origin, never wildcard
        },
        {
          key: 'Access-Control-Allow-Methods',
          value: 'GET, POST, OPTIONS',
        },
        {
          key: 'Access-Control-Allow-Headers',
          value: 'Content-Type, Authorization',
        },
      ],
    },
  ];
},

Note: The above is illustrative. Refer to your deployed next.config.ts or middleware.ts for the authoritative configuration.

Security Implications

Scenario	Before v0.1.5	After v0.1.5
Browser request from an unknown origin to `/api/v1/`	Governed by Next.js defaults (potentially permitted)	Blocked — origin not in allowlist
Server-to-server call to `/api/v1/`	Unaffected (CORS is a browser mechanism)	Unaffected
NextAuth flows	Handled by NextAuth internally	Unchanged

Compliance Reference

This change addresses ISO 27001 Control ISO-03, which requires that access controls for information systems are explicitly defined and enforced. Relying on framework defaults for security-relevant HTTP headers does not satisfy this control.

Control	Framework	Remediation
ISO-03	ISO 27001	Explicit `Access-Control-Allow-Origin` policy added to all API endpoints