From 88db043b9c2e7fd731ec5e7149c678122b5973dc Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Sun, 28 Dec 2025 12:59:20 +0100
Subject: [PATCH] fix: Change CORS default to deny-all when unconfigured

Change default behavior when DENSER_SERVER_API_CORS_ALLOW_ORIGIN is
not set from allow-all (origin: true) to deny-all (origin: false).

This follows the fail-closed security principle - misconfigured
deployments will block cross-origin requests rather than allowing them.
A warning is logged to help operators identify the missing configuration.
---
 packages/smart-signer/lib/cors-options.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/smart-signer/lib/cors-options.ts b/packages/smart-signer/lib/cors-options.ts
index f2867e11e..61954a131 100644
--- a/packages/smart-signer/lib/cors-options.ts
+++ b/packages/smart-signer/lib/cors-options.ts
@@ -10,7 +10,9 @@ const resolveOptionOrigin = (origin: string = ''): boolean | string => {
             return origin;
         }
     }
-    return true;
+    // Default to false (deny all) for security - fail-closed approach
+    console.warn('DENSER_SERVER_API_CORS_ALLOW_ORIGIN not set - defaulting to deny all origins');
+    return false;
 };
 
 //
-- 
GitLab