iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(server): CORS 生产环境拒绝通配符
Some checks failed
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details
CI / security-audit (push) Has been cancelled
Details

Browse Source
This commit is contained in:
iven
2026-05-06 10:21:50 +08:00
parent d9818c263e
commit f7bf5a86ea
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
crates/erp-server/src/main.rs
View File

@@ -808,12 +808,20 @@ fn build_cors_layer(allowed_origins: &str) -> tower_http::cors::CorsLayer {
.collect::<Vec<_>>();
if origins.len() == 1 && origins[0] == "*" {
#[cfg(not(debug_assertions))]
{
tracing::error!("CORS wildcard '*' is not allowed in production builds");
panic!("Refusing to start with CORS wildcard in release mode. Set ERP__CORS__ALLOWED_ORIGINS to specific domains.");
}
#[cfg(debug_assertions)]
{
tracing::warn!(
"⚠️ CORS 允许所有来源 — 仅限开发环境使用!\
生产环境请通过 ERP__CORS__ALLOWED_ORIGINS 设置具体的来源域名"
);
return tower_http::cors::CorsLayer::permissive();
}
}
let allowed: Vec<HeaderValue> = origins
.iter()