update CORS

2026-02-24 14:35:32 +07:00
parent d3da098f6f
commit d0f41920f7
1 changed files with 8 additions and 1 deletions
--- a/app.js
+++ b/app.js
@@ -69,8 +69,15 @@ app.use(helmet({
  },
 }));
 app.use(cors({
-  origin: config.cors.origin,
+  origin: (origin, callback) => {
+    // Allow requests with no origin (mobile apps, Postman, server-to-server)
+    if (!origin) return callback(null, true);
+    // Allow all origins but still support credentials
+    return callback(null, true);
+  },
  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
 }));

 /**