server/security.ts

Parses ALLOWED_ORIGINS env var into regex matchers for request source verification. This is NOT a CSRF protection mechanism - it's a simple origin/referer allowlist that verifies requests are coming from expected sources.

Accepts comma-separated patterns with limited wildcards: - Exact origins: https://api.example.com - Wildcard subdomains: https://*.example.com (matches exactly one subdomain level) - Multiple wildcards: https://*.staging.*.example.com (for deep subdomains) - Wildcard ports: http://localhost:* (matches any port or no port) - IPv6 addresses: http://[::1]:3000, https://[2001:db8::1] - Combined: https://*.example.com:*

Examples: - http://localhost:3000,https://prod.example.com - https://*.api.example.com,http://127.0.0.1:* - http://[::1]:*,https://*.*.corp.example.com:*

Tests if a request source (origin or referer) matches any of the allowed patterns. Pattern matching is case-insensitive for domains (as per web standards).

Middleware that verifies the request source against an allowlist.

NOT a CSRF protection - this is a simple origin/referer check that: - Checks the Origin header first (if present) - Falls back to Referer header (if no Origin) - Allows requests without Origin/Referer headers (direct access, curl, etc.)

This is useful for: - Protecting locally-running services from being called by untrusted websites as the user browses the web - Restricting which domains can make requests to your API - Preventing embedding of your service in unexpected sites - Basic source verification (but NOT security-critical CSRF protection)