| | 888 | == CORS Configuration |
| | 889 | ChapterX defines a CORS policy that restricts which origins are allowed to make requests to the API. Without this, any website could send requests on behalf of a logged-in user from their browser. |
| | 890 | The policy is registered in Program.cs and applied globally before any other middleware: |
| | 891 | {{{ |
| | 892 | builder.Services.AddCors(options => |
| | 893 | { |
| | 894 | options.AddPolicy("Frontend", policy => |
| | 895 | policy.WithOrigins("http://localhost:5173", "https://localhost:5173") |
| | 896 | .AllowAnyHeader() |
| | 897 | .AllowAnyMethod()); |
| | 898 | }); |
| | 899 | app.UseCors("Frontend"); |
| | 900 | }}} |
| | 901 | Only the frontend development server (localhost:5173) is whitelisted as an allowed origin. Requests originating from any other domain are rejected at the browser level before they reach any controller logic. |
| | 902 | In a production environment, localhost:5173 should be replaced with the actual deployed frontend domain. |
