Skip to content

🛡️ Sentinel: Fix missing Vary: Origin in CORS middleware#218

Draft
EffortlessSteven wants to merge 2 commits intomainfrom
sentinel/fix-cors-vary-header-17752059851552910074
Draft

🛡️ Sentinel: Fix missing Vary: Origin in CORS middleware#218
EffortlessSteven wants to merge 2 commits intomainfrom
sentinel/fix-cors-vary-header-17752059851552910074

Conversation

@EffortlessSteven
Copy link
Member

@EffortlessSteven EffortlessSteven commented Feb 26, 2026

🛡️ Sentinel: [CRITICAL/HIGH] Fix CORS cache poisoning vulnerability

🚨 Severity: HIGH
💡 Vulnerability: Missing Vary: Origin header in CORS responses. When Access-Control-Allow-Origin reflects the request Origin (e.g. for wildcard or multi-origin configurations), intermediate caches may cache the response. Without Vary: Origin, a cached response for Origin: A (containing Access-Control-Allow-Origin: A) might be served to a client with Origin: B, causing a CORS error for client B.
🎯 Impact: Valid cross-origin requests may fail due to incorrect cached headers, or potentially (in rare configs) incorrect access.
🔧 Fix: Added Vary: Origin header whenever Access-Control-Allow-Origin is set dynamically. Used append to avoid overwriting other Vary directives.
✅ Verification: New integration test crates/app-http/tests/security_cors_vary.rs confirms the header is present for both GET and OPTIONS requests.

PR created automatically by Jules for task 17752059851552910074 started by @EffortlessSteven

@EffortlessSteven
Fix: Add Vary: Origin header to CORS responses
f2cb7eb 
This change adds the `Vary: Origin` header to responses where `Access-Control-Allow-Origin` is dynamically set (based on the request Origin). This prevents cache poisoning where a response authorized for one origin might be cached and served to a different origin, causing CORS failures.

The fix is applied to both `app-http` and `http-middleware` crates.
Uses `append` instead of `insert` to preserve existing `Vary` headers (e.g. from compression middleware).

Verification:
- Added reproduction test `crates/app-http/tests/security_cors_vary.rs`
- Verified regressions with existing security tests.
Copilot AI review requested due to automatic review settings February 26, 2026 02:14
@google-labs-jules
Copy link

google-labs-jules bot commented Feb 26, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 26, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai
Copy link

coderabbitai bot commented Feb 26, 2026
edited
Loading

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 45 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 90fd4d1 and 2b94163.

📒 Files selected for processing (3)
  • crates/app-http/src/middleware/cors.rs
  • crates/app-http/tests/security_cors_vary.rs
  • crates/http-middleware/src/cors.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch sentinel/fix-cors-vary-header-17752059851552910074

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates a CORS-related cache poisoning risk by ensuring responses that dynamically reflect the request Origin include Vary: Origin, preventing intermediate caches from serving mismatched Access-Control-Allow-Origin headers across origins.

Changes:

  • Append Vary: Origin on regular CORS responses when Access-Control-Allow-Origin is set from the request origin.
  • Append Vary: Origin on CORS preflight (OPTIONS) responses when Access-Control-Allow-Origin is set.
  • Add integration tests asserting Vary includes Origin for both GET and OPTIONS requests.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
crates/http-middleware/src/cors.rs Appends Vary: Origin when reflecting allowed origins for both normal and preflight responses.
crates/app-http/src/middleware/cors.rs Mirrors the same Vary: Origin behavior in app-http’s CORS middleware implementation.
crates/app-http/tests/security_cors_vary.rs Adds integration coverage to confirm Vary includes Origin for GET and OPTIONS.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@EffortlessSteven
Fix: Add Vary: Origin header to CORS responses
2b94163 
This change adds the `Vary: Origin` header to responses where `Access-Control-Allow-Origin` is dynamically set (based on the request Origin). This prevents cache poisoning where a response authorized for one origin might be cached and served to a different origin, causing CORS failures.

The fix is applied to both `app-http` and `http-middleware` crates.
Uses `append` instead of `insert` to preserve existing `Vary` headers (e.g. from compression middleware).

Verification:
- Added reproduction test `crates/app-http/tests/security_cors_vary.rs`
- Verified regressions with existing security tests.
@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Test Results

283 tests   245 ✅  11m 24s ⏱️
 25 suites   38 💤
  1 files      0 ❌

Results for commit 2b94163.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EffortlessSteven