Severity: Medium
Area: API — CORS
Location
api/src/main.rs:78
Problem
The API mounts CorsLayer::permissive(), which reflects any origin and allows credentials/headers, on a control-plane API.
Why it matters
It's safe today only because /internal routes require an Authorization: Bearer header (not a cookie, so browsers can't auto-attach it cross-site). Shipping Access-Control-Allow-Origin: * on a control-plane API is needlessly broad and becomes exploitable the moment any cookie/ambient auth is added.
Suggested fix
Restrict CORS to the known web origin, or drop the CORS layer entirely for an internal-only API.
Severity: Medium
Area: API — CORS
Location
api/src/main.rs:78Problem
The API mounts
CorsLayer::permissive(), which reflects any origin and allows credentials/headers, on a control-plane API.Why it matters
It's safe today only because
/internalroutes require anAuthorization: Bearerheader (not a cookie, so browsers can't auto-attach it cross-site). ShippingAccess-Control-Allow-Origin: *on a control-plane API is needlessly broad and becomes exploitable the moment any cookie/ambient auth is added.Suggested fix
Restrict CORS to the known web origin, or drop the CORS layer entirely for an internal-only API.