Security Update: CORS Policy Enforcement for REST API and tRPC Routes
Security Update: CORS Policy Enforcement for REST API and tRPC Routes
Release: v1.0.50 | Security Control: SEC-13 | Severity: High
Overview
This release addresses a missing CORS (Cross-Origin Resource Sharing) policy on the Calmony Pay REST API (/v1/*) and tRPC (/api/trpc) endpoints. Explicit CORS headers are now enforced on all affected routes.
What Was the Risk?
Prior to this release, neither the /v1/* payment API routes nor the /api/trpc endpoints returned any Access-Control-Allow-Origin headers. This created two distinct risk surfaces:
1. /v1/* Payment REST API
The payment REST API is designed for server-to-server use only — it should never be called directly from a browser. Without an explicit CORS policy, however, browsers were not prevented from making cross-origin requests to these endpoints. A malicious page could potentially probe the API from a victim's browser context.
2. /api/trpc Endpoints
The tRPC routes are more sensitive because they handle authenticated, session-bearing requests. Without CORS restrictions, a cross-origin page could make credentialed requests to these endpoints using a logged-in user's session cookies, exposing them to Cross-Site Request Forgery (CSRF) and cross-origin data leakage attacks.
What Changed?
/v1/* Routes — Merchant Domain Allowlist
A CORS middleware has been added to all /v1/* routes. The Access-Control-Allow-Origin header is now set from a configured allowlist of merchant-registered domains. Requests from origins not present on the allowlist will be rejected by the browser's CORS enforcement.
Access-Control-Allow-Origin: https://your-merchant-domain.com
Only origins explicitly registered against a merchant's account will be permitted.
/api/trpc Routes — Application Origin Only
The tRPC endpoints now return an Access-Control-Allow-Origin header locked to the application's own origin. This ensures that only the Calmony Pay frontend itself can make credentialed cross-origin requests to tRPC, eliminating the risk of third-party pages hijacking authenticated sessions.
Access-Control-Allow-Origin: https://app.calmonypay.com
Files Affected
| File | Change |
|---|---|
src/app/api/v1/customers/route.ts | CORS middleware applied to /v1/* route handlers |
Action Required
For Merchants Using the REST API from a Browser Context
Note: The
/v1/*REST API is intended for server-to-server use only. If you are calling it directly from browser-side JavaScript, you should migrate those calls to your own backend, which then calls Calmony Pay server-side.
If you have a legitimate need to call the API from a specific browser origin, ensure that your domain is registered on your merchant account's CORS allowlist. Contact support if you need assistance configuring permitted origins.
For Server-to-Server Integrations
No action is required. Server-side HTTP clients are not subject to CORS restrictions; your existing integration continues to work without modification.
Background: What is CORS?
CORS is a browser security mechanism that controls which origins (domain + protocol + port combinations) are permitted to make HTTP requests to a given server. When a browser makes a cross-origin request, it checks the server's Access-Control-Allow-Origin response header. If the requesting origin is not listed, the browser blocks the response.
Importantly, CORS is enforced by the browser — it does not affect server-to-server HTTP calls. This is why the absence of CORS headers on the payment REST API posed a lower immediate risk than on the session-bearing tRPC endpoints, but both surfaces warranted explicit policy.