Deploy: 2026-05-21 01:58:32

backend/app/Core/Response.php

@@ -39,10 +39,12 @@ class Response
         $this->setStatusCode($code);
         $this->setHeader('Content-Type', 'application/json; charset=utf-8');
         
-        // Setup base CORS headers for our API
-        $this->setHeader('Access-Control-Allow-Origin', '*');
+        // Setup CORS headers — restrict origin to the configured allowed domain
+        $allowedOrigin = getenv('ALLOWED_ORIGIN') ?: '*';
+        $this->setHeader('Access-Control-Allow-Origin', $allowedOrigin);
         $this->setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
         $this->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
+        $this->setHeader('Vary', 'Origin'); // Required when Access-Control-Allow-Origin is not *
 
         $this->sendHeaders();
         http_response_code($this->statusCode);