From a394bb3139bc9763a1c9067d5d0b47602dc41a29 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Tue, 14 Apr 2026 23:53:50 +0700
Subject: [PATCH] =?UTF-8?q?fix:=20API=20Helmet=20=E2=80=94=20allow=20cross?=
 =?UTF-8?q?-origin=20for=20frontend=20consumption?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

crossOriginResourcePolicy: 'same-origin' blocks browser fetch from
platform.goodgo.vn to api.goodgo.vn. Changed to 'cross-origin'.
Also disabled crossOriginEmbedderPolicy which conflicts with CORS.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/api/src/main.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 09213f6..6f5ae42 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -61,13 +61,14 @@ async function bootstrap() {
   // ── Security Headers (Helmet) ──
   app.use(
     helmet({
+      // CSP relaxed for API — responses are consumed cross-origin by the web frontend
       contentSecurityPolicy: {
         directives: {
           defaultSrc: ["'self'"],
           scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
           styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
           imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
-          connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+          connectSrc: ["'self'", 'https://cdn.jsdelivr.net', 'https://api.goodgo.vn'],
           fontSrc: ["'self'", 'data:'],
           objectSrc: ["'none'"],
           frameSrc: ["'none'"],
@@ -75,9 +76,10 @@ async function bootstrap() {
           formAction: ["'self'"],
         },
       },
-      crossOriginEmbedderPolicy: true,
-      crossOriginOpenerPolicy: true,
-      crossOriginResourcePolicy: { policy: 'same-origin' },
+      // Must allow cross-origin for API consumed by platform.goodgo.vn
+      crossOriginEmbedderPolicy: false,
+      crossOriginOpenerPolicy: false,
+      crossOriginResourcePolicy: { policy: 'cross-origin' },
       frameguard: { action: 'deny' },
       hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
       referrerPolicy: { policy: 'strict-origin-when-cross-origin' },