Merge pull request #2975 from Infisical/daniel/custom-cors

feat(api): custom cors settings
Infisical · Jan 13, 2025 · 194fbb7 · 194fbb7
2 parents faaba8d + c08fbbd
commit 194fbb7
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/backend/src/lib/config/env.ts b/backend/src/lib/config/env.ts
@@ -199,7 +199,29 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
+
+    /* CORS ----------------------------------------------------------------------------- */
+
+    CORS_ALLOWED_ORIGINS: zpStr(
+      z
+        .string()
+        .optional()
+        .transform((val) => {
+          if (!val) return undefined;
+          return JSON.parse(val) as string[];
+        })
+    ),
+
+    CORS_ALLOWED_HEADERS: zpStr(
+      z
+        .string()
+        .optional()
+        .transform((val) => {
+          if (!val) return undefined;
+          return JSON.parse(val) as string[];
+        })
+    )
   })
   // To ensure that basic encryption is always possible.
   .refine(

diff --git a/backend/src/server/app.ts b/backend/src/server/app.ts
@@ -87,7 +87,16 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register<FastifyCorsOptions>(cors, {
       credentials: true,
-      origin: appCfg.SITE_URL || true
+      ...(appCfg.CORS_ALLOWED_ORIGINS?.length
+        ? {
+            origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])]
+          }
+        : {
+            origin: appCfg.SITE_URL || true
+          }),
+      ...(appCfg.CORS_ALLOWED_HEADERS?.length && {
+        allowedHeaders: appCfg.CORS_ALLOWED_HEADERS
+      })
     });
 
     await server.register(addErrorsToResponseSchemas);

diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx
@@ -34,6 +34,27 @@ Used to configure platform-specific security and operational settings
   this to `false`.
 </ParamField>
 
+## CORS
+
+Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain.
+The following environment variables can be used to configure the Infisical Rest API to allow or restrict access to resources from different origins.
+
+<ParamField query="CORS_ALLOWED_ORIGINS" type="string" optional>
+
+  Specify a list of origins that are allowed to access the Infisical API.
+
+  An example value would be `CORS_ALLOWED_ORIGINS=["https://example.com"]`.
+
+  Defaults to the same value as your `SITE_URL` environment variable.
+</ParamField>
+
+<ParamField query="CORS_ALLOWED_METHODS" type="string" optional>
+  Array of HTTP methods allowed for CORS requests.
+
+  Defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.
+</ParamField>
+
+
 ## Data Layer
 
 The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
@@ -72,7 +93,7 @@ DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}]
   </Expandable>
 </ParamField>
 
-## Email service
+## Email Service
 
 Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.