chore: CORS should be disabled by default

abose · abose · commit bac8b159486a · 2025-04-16T11:40:52.000+05:30
The default security posture disallows CORS and cookie transfers between domains. that is much
more stricter than allowing CORS. CORS should only be enabled on a need by basis.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -64,7 +64,6 @@
   "dependencies": {
     "@aicore/libcommonutils": "1.0.20",
     "@fastify/compress": "^8.0.1",
-    "@fastify/cors": "^10.0.2",
     "@fastify/rate-limit": "^10.2.2",
     "@fastify/static": "8.1.0",
     "fastify": "5.2.1",
diff --git a/src/server.js b/src/server.js
@@ -10,7 +10,6 @@ import {getConfigs} from "./utils/configs.js";
 import {getHelloSchema, hello, getHelloPostSchema, helloPost} from "./api/hello.js";
 import {fastifyStatic} from "@fastify/static";
 import rateLimit from '@fastify/rate-limit';
-import cors from '@fastify/cors';
 import compression from '@fastify/compress';
 
 import path from 'path';
@@ -55,23 +54,6 @@ server.register(rateLimit, {
     }
 });
 
-server.register(cors, {
-    origin: process.env.NODE_ENV === 'production'
-        ? ['https://yourdomain.com']
-        : true,
-    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-    allowedHeaders: [
-        'Content-Type',
-        'Authorization',
-        'X-Requested-With',
-        'Accept'
-    ],
-    exposedHeaders: ['Content-Range', 'X-Content-Range'],
-    credentials: true,
-    maxAge: 86400,
-    preflight: true
-});
-
 // Response Sanitization
 function sanitizeResponse(data) {
     const sensitiveFields = ['password', 'token', 'secret', 'key', 'auth'];
