Removing credential: true from cors options as it contradicts the ori…

…gin: '*' option (#386) ### TL;DR Removed CORS credentials support from the application middleware ### What changed? Removed the `credentials: true` option from the CORS configuration, which previously allowed the sharing of cookies and HTTP authentication across origins ### How to test? 1. Start the application 2. Make a cross-origin request to any endpoint 3. Verify that CORS requests work without credentials 4. Confirm that cookies and authentication headers are not shared across origins ### Why make this change? Removing CORS credentials enhances security by preventing the sharing of sensitive authentication information across different domains. This is a more secure default configuration when credential sharing isn't explicitly required.
friggframework · Feb 23, 2025 · 24ddb0d · 24ddb0d
2 parents a431602 + cf751ae
commit 24ddb0d
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/packages/core/handlers/app-handler-helpers.js b/packages/core/handlers/app-handler-helpers.js
@@ -14,7 +14,6 @@ const createApp = (applyMiddleware) => {
     app.use(
         cors({
             origin: '*',
-            credentials: true,
         })
     );