CORS origin callback strips trailing slashes, logs allowed origin at startup

A one-commit change in Maison-Retail-Management-International/mike swaps Express's static CORS origin string for a callback that normalizes trailing slashes before comparing. Small, self-contained, and fixes a silent misconfiguration failure mode.

securityinfrastructure

The original code passed process.env.FRONTEND_URL ?? "http://localhost:3000" directly to cors({ origin: ... }). If FRONTEND_URL was set with a trailing slash, that string never matched any browser-sent origin (browsers omit trailing slashes), so every cross-origin request was blocked with no obvious error.

Commit a2a1cb2 fixes this by pre-computing frontendUrl with .replace(/\/$/, "") applied to the env value, then using a callback that normalizes the incoming origin the same way before comparing. Requests with no Origin header pass through (standard behavior for non-browser clients). Anything else that doesn't match gets new Error('CORS blocked origin: ${origin}'). A startup log line prints CORS allowed origin: ${frontendUrl} so deployment misconfigurations surface immediately.

The change is 18 lines added in two files: backend/src/index.ts and a comment added to backend/.env.example pointing to the production workers.dev URL.

One constraint to note: it only supports a single allowed origin. If you need multiple allowed origins, you'd extend the callback with an array check.

So what Worth pulling if your Express backend has this same pattern. The trailing-slash normalization prevents a class of silent deployment failure, and the startup log cuts debugging time when `FRONTEND_URL` is misconfigured. The patch is small enough to apply by hand.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from Maison-Retail-Management-International/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
a2a1cb23 Harden CORS origin matching and log allowed FRONTEND_URL at startup. Thomas GUILLEMAUD 2026-05-20 ↗ GitHub
Co-authored-by: Cursor <cursoragent@cursor.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-560.md from inside the repo you want the changes in.

⬇ Download capture-thread-560.md