Currently CORS is fully open (Access-Control-Allow-Origin: *) on all responses including admin APIs.
Since auth uses custom headers (Authorization, X-Admin-Token) rather than cookies, this isn't exploitable via cross-origin browser requests — the browser won't auto-attach those headers. So this is low priority.
However, tightening CORS on /admin/api/* to only allow same-origin requests would be a defense-in-depth improvement. The /v1/* proxy endpoints should remain * since they're meant to be called from arbitrary clients.
Currently CORS is fully open (
Access-Control-Allow-Origin: *) on all responses including admin APIs.Since auth uses custom headers (
Authorization,X-Admin-Token) rather than cookies, this isn't exploitable via cross-origin browser requests — the browser won't auto-attach those headers. So this is low priority.However, tightening CORS on
/admin/api/*to only allow same-origin requests would be a defense-in-depth improvement. The/v1/*proxy endpoints should remain*since they're meant to be called from arbitrary clients.