CORS configuration uses `["*"]` with `credentials: true`

[llinsss]

Description:
The backend sets credentials: true while allowing origin: ["*"] when CORS_ORIGIN is not configured. Browsers reject Access-Control-Allow-Origin: * with credentials, and the fallback can cause unexpected behavior or weaken intended CORS restrictions.

Evidence:

• backend/app.js: origin: process.env.CORS_ORIGIN?.split(",") || ["*"], credentials: true
• backend/services/SocketService.js: similar pattern.

Suggested Fix:
Require explicit CORS_ORIGIN values in production and reject startup when not provided (or set credentials: false when origin is wildcard). For Socket.io, align the CORS origin policy with the HTTP policy.

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 200 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[rosemary21]

@rosemary21 has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

I’d like to work on this issue because it affects both security and correct cross-origin behavior, especially in production. The current fallback (origin: ["*"] with credentials: true) is not just suboptimal—it’s actually invalid per browser CORS rules, which can lead to broken authentication flows (cookies or auth headers not being sent) and confusing bugs. It also weakens the intended access control by not enforcing a clear origin policy.Relevant Experience
I’ve configured CORS in multiple Node.js/Express and Socket.io applications, including handling credentialed requests with strict origin whitelisting.
Experience debugging real-world issues where browsers silently block requests due to invalid CORS + credentials combinations.
I’ve implemented environment-based configuration validation, ensuring required variables (like allowed origins) are present in production.
Familiar with security best practices around cross-origin access, including avoiding wildcard origins when sensitive data or sessions are involved.
Experience aligning HTTP and WebSocket CORS configurations to prevent inconsistent behavior between REST APIs and real-time connections.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @rosemary21 to this issue.

[drips-wave]

Congratulations, @rosemary21! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @rosemary21: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been marked as completed by a Drips Wave moderator for @rosemary21 as part of the Stellar Wave Program's 3rd Wave 🥳

Moderator's reason: [Auto-assessed] The PR directly addresses the CORS security issue by implementing a centralized configuration that enforces explicit origins in production and syncs Socket.io settings. The PR was merged by maintainers, confirming the fix was accepted as part of a larger validation hardening effort.

😎 @rosemary21: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.

ℹ️ Note: This issue was marked complete via moderation. Points were issued even though the GitHub issue remains open.