From b38e6110d22f578ba65672747df6a30ea5b13b11 Mon Sep 17 00:00:00 2001
From: Lucien Cartier-Tilet <lucien@phundrak.com>
Date: Mon, 1 Jun 2026 23:34:34 +0200
Subject: [PATCH] feat(settings): proper CORS in production

If the backend starts in production mode with no `frontend_url` is set,
immediately panic and stop.
---
 src/startup.rs | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/startup.rs b/src/startup.rs
index c0cee45..48bc821 100644
--- a/src/startup.rs
+++ b/src/startup.rs
@@ -80,11 +80,22 @@ impl From<Application> for RunnableApplication {
             // Use very high limits to effectively disable rate limiting
             RateLimitConfig::new(u32::MAX, 1)
         };
-
+        let frontend_url = value.settings.frontend_url.clone();
+        let cors = if value.settings.debug {
+            Cors::new()
+        } else {
+            if !cfg!(test) {
+                assert!(
+                    !frontend_url.is_empty(),
+                    "CORS: frontend_url must be configured in production"
+                );
+            }
+            Cors::new().allow_origin(frontend_url)
+        };
         let app = value
             .app
             .with(RateLimit::new(&rate_limit_config))
-            .with(Cors::new())
+            .with(cors)
             .data(value.settings);
 
         let server = value.server;