fix: relax CORS and disable mandatory HTTPs in helmet

[Doezer]

This pull request makes several changes to improve the self-hosting experience of the server, mainly by relaxing security restrictions to allow easier local setup and testing. The most important changes are grouped below by theme:

CORS and Origin Handling:

• The default value for allowedOrigins in config.ts is now set to "*" (all origins), making it easier for users to self-host without needing to configure specific origins.
• The Express app now uses the cors middleware, configured with the allowedOrigins value from the server config, ensuring consistent CORS handling across the server.
• The Socket.IO setup adjusts its CORS logic: if allowedOrigins is "*", it explicitly allows all origins; otherwise, it uses the specified list. This ensures real-time connections are also easy to set up for self-hosting.

Security Headers:

• HSTS (HTTP Strict Transport Security) is now disabled in the server's route setup, allowing HTTP connections for self-hosting scenarios where SSL may not be configured.

[gemini-code-assist]

Summary of Changes

Hello @Doezer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request aims to improve the self-hosting experience by relaxing network security configurations. It broadens the Cross-Origin Resource Sharing (CORS) policy to allow all origins by default, making it easier for different frontends to connect. Additionally, it disables HTTP Strict Transport Security (HSTS), which can prevent issues in environments where SSL/TLS is not readily available or desired, streamlining deployment for various setups.

Highlights

• CORS Configuration Relaxed: The default allowedOrigins for the server has been changed to * (all origins) when not explicitly configured, simplifying self-hosting setups.
• CORS Middleware Applied: The cors middleware from the cors package is now explicitly used in the Express application, applying the configured allowedOrigins to incoming requests.
• Socket.IO CORS Logic Updated: The Socket.IO server's CORS origin configuration now correctly handles the * wildcard when allowedOrigins is set to *, ensuring proper WebSocket connections.
• HSTS Disabled: HTTP Strict Transport Security (HSTS) has been explicitly disabled in the security middleware, which is beneficial for self-hosting environments that might not use SSL/TLS.

Changelog

• server/config.ts
  • Updated the default allowedOrigins to * for easier self-hosting.
• server/index.ts
  • Imported the cors middleware.
  • Applied the cors middleware to the Express app using the configured allowedOrigins.
• server/routes.ts
  • Disabled HSTS within the security middleware configuration.
• server/socket.ts
  • Modified the Socket.IO CORS origin logic to correctly pass * when allowedOrigins is set to *.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request aims to relax security settings for CORS and HSTS to simplify self-hosting. However, this introduces significant security risks by setting insecure defaults. Specifically, the default CORS policy is changed to allow all origins (*), which exposes the application to Cross-Site Request Forgery (CSRF) attacks. Additionally, HTTP Strict Transport Security (HSTS) is disabled for all environments, making the application vulnerable to man-in-the-middle attacks in production. There is also a configuration bug where the Express cors middleware is not correctly configured to handle the wildcard * origin. It's crucial to prioritize a secure-by-default configuration, potentially making these features conditional based on the environment.

[gemini-code-assist]

The cors middleware for Express is being configured with origin: config.server.allowedOrigins. If config.server.allowedOrigins is ['*'], this will not correctly configure CORS to allow all origins. The cors package expects the string '*' to allow any origin, not an array containing '*'. This means that if ALLOWED_ORIGINS is not set, CORS will be misconfigured and likely block all cross-origin requests.

You should apply the same logic here as you did in server/socket.ts to correctly handle the wildcard origin.

Suggested change

	app.use(cors({ origin: config.server.allowedOrigins }));
	app.use(cors({ origin: config.server.allowedOrigins.length === 1 && config.server.allowedOrigins[0] === "*" ? "*" : config.server.allowedOrigins }));

[gemini-code-assist]

The default value for allowedOrigins has been changed to ["*"], allowing all origins. This is a critical security risk as a permissive CORS policy (*) allows any website to make requests to the application's API, potentially enabling attackers to perform Cross-Site Request Forgery (CSRF) attacks on behalf of a logged-in user or access sensitive data. While this might simplify self-hosting, it sets a dangerous default. It's recommended to revert this change to maintain a secure-by-default posture, requiring explicit configuration for production via the ALLOWED_ORIGINS environment variable.

Suggested change

	: ["*"], // Default to allowing all origins for easier self-hosting logic
	: ["http://localhost:port".replace("port", env.PORT.toString())],

[gemini-code-assist]

HTTP Strict Transport Security (HSTS) has been explicitly disabled (hsts: false). HSTS is a critical security policy that protects against man-in-the-middle attacks like protocol downgrade attacks and cookie hijacking by forcing browsers to use secure HTTPS connections. Disabling it makes users vulnerable to these attacks, especially if they connect over unencrypted HTTP. While disabling it might be necessary for local development or self-hosting without SSL, it significantly weakens the security posture for production. It should be enabled in production environments, ideally by making the setting conditional based on the environment.

Suggested change

	hsts: false, // Disable HSTS to allow HTTP connections for self-hosting without SSL
	hsts: appConfig.server.isProduction, // Conditionally enable HSTS in production

References

1. Security settings should be applied conditionally based on the environment (e.g., development vs. production) to ensure robust security in production while allowing flexibility for development. This aligns with the principle of conditionally applying insecure directives only in development environments.

[Doezer]

/gemini review

[gemini-code-assist]

Code Review

This pull request aims to simplify the self-hosting experience by relaxing security configurations. However, this introduces critical security risks for production deployments due to a permissive CORS policy and the disabling of HSTS and COOP headers, which weaken the application's defense against cross-origin and Man-in-the-Middle attacks. It is crucial to make these relaxed settings conditional, applying them only in development environments while maintaining robust security for production deployments.

[gemini-code-assist]

The default value for allowedOrigins has been changed to ["*"], creating a permissive CORS policy that allows any website to make requests to your API. This significantly increases the attack surface and can lead to cross-origin information leaks and CSRF attacks, especially since the default NODE_ENV is production. It is recommended to keep a more restrictive default (like localhost) and allow users to explicitly configure additional origins via environment variables, or make this setting conditional for development environments.

Suggested change

	: ["*"], // Default to allowing all origins for easier self-hosting logic
	: ["http://localhost:port".replace("port", env.PORT.toString())],

[gemini-code-assist]

Disabling upgrade-insecure-requests, hsts, and crossOriginOpenerPolicy significantly weakens the security posture of the application. Specifically, disabling HSTS and automatic HTTPS upgrades makes the application vulnerable to Man-in-the-Middle (MitM) attacks and SSL stripping, while disabling COOP increases susceptibility to cross-origin side-channel attacks (like Spectre). These important security headers should be enabled in production and made conditional on the environment, rather than being disabled globally.

Suggested change

	"upgrade-insecure-requests": null, // 🛡️ Disable automatic HTTPS upgrades for HTTP-only self-hosting
	},
	},
	hsts: false, // Disable HSTS to allow HTTP connections for self-hosting without SSL
	crossOriginOpenerPolicy: false, // Disable COOP for remote access
	"upgrade-insecure-requests": appConfig.server.isProduction ? undefined : null,
	},
	},
	hsts: appConfig.server.isProduction,
	crossOriginOpenerPolicy: false,