MCPcopy Index your code
hub / github.com/ZenNotes/zennotes / corsMiddleware

Method corsMiddleware

apps/server/internal/httpserver/security.go:328–348  ·  view source on GitHub ↗
(next http.Handler)

Source from the content-addressed store, hash-verified

326}
327
328func (s *Server) corsMiddleware(next http.Handler) http.Handler {
329 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
330 origin := strings.TrimSpace(r.Header.Get("Origin"))
331 if origin != "" {
332 if s.isAllowedOrigin(r, origin) {
333 w.Header().Set("Access-Control-Allow-Origin", origin)
334 w.Header().Set("Access-Control-Allow-Credentials", "true")
335 w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
336 w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, If-Match")
337 w.Header().Add("Vary", "Origin")
338 if r.Method == http.MethodOptions {
339 w.WriteHeader(http.StatusNoContent)
340 return
341 }
342 } else {
343 s.logCORSRejection(origin)
344 }
345 }
346 next.ServeHTTP(w, r)
347 })
348}
349
350// logCORSRejection emits one log line per unique origin so a
351// misconfigured ZENNOTES_ALLOWED_ORIGINS surfaces in operator logs

Callers

nothing calls this directly

Calls 2

isAllowedOriginMethod · 0.95
logCORSRejectionMethod · 0.95

Tested by

no test coverage detected