fix: API Helmet — allow cross-origin for frontend consumption

crossOriginResourcePolicy: 'same-origin' blocks browser fetch from platform.goodgo.vn to api.goodgo.vn. Changed to 'cross-origin'. Also disabled crossOriginEmbedderPolicy which conflicts with CORS. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 23:53:50 +07:00
parent b9ad280192
commit a394bb3139
1 changed files with 6 additions and 4 deletions
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -61,13 +61,14 @@ async function bootstrap() {
  // ── Security Headers (Helmet) ──
  app.use(
    helmet({
+      // CSP relaxed for API — responses are consumed cross-origin by the web frontend
      contentSecurityPolicy: {
        directives: {
          defaultSrc: ["'self'"],
          scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
          styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
          imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
-          connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+          connectSrc: ["'self'", 'https://cdn.jsdelivr.net', 'https://api.goodgo.vn'],
          fontSrc: ["'self'", 'data:'],
          objectSrc: ["'none'"],
          frameSrc: ["'none'"],
@@ -75,9 +76,10 @@ async function bootstrap() {
          formAction: ["'self'"],
        },
      },
-      crossOriginEmbedderPolicy: true,
-      crossOriginOpenerPolicy: true,
-      crossOriginResourcePolicy: { policy: 'same-origin' },
+      // Must allow cross-origin for API consumed by platform.goodgo.vn
+      crossOriginEmbedderPolicy: false,
+      crossOriginOpenerPolicy: false,
+      crossOriginResourcePolicy: { policy: 'cross-origin' },
      frameguard: { action: 'deny' },
      hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
      referrerPolicy: { policy: 'strict-origin-when-cross-origin' },