CORS Configuration for Mobile and External Clients

[Baskarayelu]

Description:

Configure CORS so that approved origins (e.g. web app, future mobile app, partner dashboards) can call the API while blocking others.

Requirements

• Allow list from env: ALLOWED_ORIGINS (comma-separated) e.g. https://app.remitwise.com, http://localhost:3000
• In middleware or route: set Access-Control-Allow-Origin to request origin if in list; else do not set (or set to false)
• For preflight OPTIONS, return 204 with allowed methods and headers
• Document ALLOWED_ORIGINS and security implications
• Do not use * in production for credentials

Acceptance Criteria

• CORS allow list from env
• Preflight handled
• Documented

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 200 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[ayomideadeniran]

I'm a full-stack/backend developer with experience working on API security and middleware configuration.

My approach would be to implement a CORS allowlist using the ALLOWED_ORIGINS env variable, validate request origins in middleware, properly handle OPTIONS preflight requests, and document the setup with the required security considerations for external clients.

Portfolio: https://knightsdev-portfolio.vercel.app/

[IyanuOluwaJesuloba]

@IyanuOluwaJesuloba has applied to work on this issue as part of the Stellar Wave Program's 2nd wave.

I'd like to take on this issue. Kindly assign it to me.
Proper CORS configuration is a security-critical task, and I have the experience to implement it cleanly and correctly.
I'll read ALLOWED_ORIGINS from the environment as a comma-separated list, then apply middleware that checks each incoming request's origin against the allowlist — setting Access-Control-Allow-Origin to the matched origin only, never a wildcard in production. Preflight OPTIONS requests will return 204 with the appropriate Allow-Methods and Allow-Headers headers. Credentials support will be handled safely in line with browser security requirements.
I'll also document the ALLOWED_ORIGINS variable clearly — its format, where to set it per environment, and the security implications of misconfiguration — so the setup is maintainable by the whole team.
Clean implementation, properly tested, and documented. Id be happy to open a PR promptly.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @IyanuOluwaJesuloba to this issue.

[Benalex8797]

@Benalex8797 has applied to work on this issue as part of the Stellar Wave Program's 2nd wave.

i will like to work on this issue, please kindly assign

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Benalex8797 to this issue.

[Johnpii1]

@Johnpii1 has applied to work on this issue as part of the Stellar Wave Program's 2nd wave.

Hello Sir,
I hope you’re doing well! I recently saw your project and I’d love the chance to work with you on it. Please let me know the next steps. I’m really excited about the possibility of collaborating with you.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Johnpii1 to this issue.