Security Update: CORS Policy Enforcement on REST API and tRPC Routes
Security Update: CORS Policy Enforcement on REST API and tRPC Routes
Release: v1.0.46 Control: SEC-13 Category: Infrastructure Security
Background
Prior to this release, the Calmony Pay /v1/* payment REST API and /api/trpc endpoints had no explicit Cross-Origin Resource Sharing (CORS) headers configured. While the payment REST API is designed for server-to-server use, the absence of an explicit CORS policy means browsers could still issue cross-origin requests against these endpoints.
This was particularly concerning for the tRPC routes, which handle authenticated, session-bearing requests. Without a restrictive CORS policy, a malicious cross-origin page could potentially trigger requests that carry a user's session credentials.
What Changed
/v1/* Payment REST API
CORS headers are now explicitly configured on all /v1/* routes. The Access-Control-Allow-Origin header is restricted to a configured allowlist of merchant-registered domains. Requests originating from any domain not on this allowlist will be rejected at the CORS preflight stage.
/api/trpc Endpoints
The tRPC routes now enforce Access-Control-Allow-Origin scoped to the application's own origin only. This ensures that no third-party site can make credentialed cross-origin requests to these endpoints.
Why This Matters
| Endpoint | Risk Before Fix | Policy After Fix |
|---|---|---|
/v1/* | Browser could send unauthenticated cross-origin requests | Allowlisted merchant domains only |
/api/trpc | Session-bearing requests could be triggered cross-origin | Application's own origin only |
A well-defined CORS policy is a defence-in-depth control. Even though the /v1/* API is intended for server-side consumption, making the allowed origins explicit removes ambiguity and closes off any browser-based attack surface.
Configuration
The CORS allowlist for /v1/* routes is driven by a configurable list of merchant-registered domains. Ensure this list is kept up to date as new merchant integrations are onboarded.
For tRPC, no additional configuration is required — the policy is automatically scoped to the application's own origin.
Affected Files
src/app/api/v1/customers/route.ts
References
- MDN — Cross-Origin Resource Sharing (CORS)
- SEC-13 internal security control audit