Summary
Application.kt configures CORS with anyHost() — this allows any origin to make cross-origin requests to the API, including malicious third-party websites.
Location
File: backend/src/main/kotlin/uk/co/fueller/backend/Application.kt
install(CORS) {
anyHost()
...
}What to change
Replace with an explicit origin allowlist:
install(CORS) {
allowHost("fueller.co.uk", schemes = listOf("https"))
allowHost("www.fueller.co.uk", schemes = listOf("https"))
// add staging domain if needed
allowMethod(HttpMethod.Get)
allowHeader(HttpHeaders.ContentType)
}For a mobile-only API with no web client, consider removing CORS entirely — the Android app is not subject to CORS restrictions.
Workstream: WS1 Phase 1A
Summary
Application.ktconfigures CORS withanyHost()— this allows any origin to make cross-origin requests to the API, including malicious third-party websites.Location
File:
backend/src/main/kotlin/uk/co/fueller/backend/Application.ktWhat to change
Replace with an explicit origin allowlist:
For a mobile-only API with no web client, consider removing CORS entirely — the Android app is not subject to CORS restrictions.
Workstream: WS1 Phase 1A