From 3d4de5cd8b1dfed5adff93f2eeac17ff50b1405d Mon Sep 17 00:00:00 2001
From: Lucien Cartier-Tilet <lucien@phundrak.com>
Date: Thu, 14 May 2026 21:26:04 +0200
Subject: [PATCH] fix(CORS): do not add "*" as an allowed host

---
 backend/src/settings/cors.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/src/settings/cors.rs b/backend/src/settings/cors.rs
index 7c1c2a6..e8153b1 100644
--- a/backend/src/settings/cors.rs
+++ b/backend/src/settings/cors.rs
@@ -59,7 +59,9 @@ impl From<CorsSettings> for Cors {
         );
         let mut cors = Self::new();
         for origin in &val.allowed_origins {
-            cors = cors.allow_origin(origin);
+            if origin != "*" {
+                cors = cors.allow_origin(origin);
+            }
         }
         cors = cors.allow_methods(vec![
             Method::GET,