Summary
The Go API gateway treats an empty CORS allowlist as "allow every Origin". That means a browser page from any origin can read gateway responses when the gateway is reachable, including optional audit control-plane routes.
Evidence
apps/api-go/cmd/platform-api/main.go defaults --cors-allowed-origins / DIFFAUDIT_CORS_ALLOWED_ORIGINS to an empty string and documents that as empty = allow all.apps/api-go/internal/proxy/middleware.go reflects the request Origin whenever AllowedOrigins is empty.- The same gateway CORS config allows
GET, POST, DELETE, OPTIONS and Content-Type, Authorization, X-Request-ID headers.
apps/api-go/internal/proxy/server.go exposes optional audit control-plane routes such as POST /api/v1/audit/jobs and DELETE /api/v1/audit/jobs/{jobID}.
Impact
If a deployer exposes the Go gateway directly or binds it more broadly during evaluation, any website can make browser-readable requests to the gateway. In demo mode this leaks demo snapshot/control-plane data cross-origin; in live mode it can expand the attack surface around Runtime-backed audit job creation/cancellation if the gateway is otherwise reachable. This is a product safety issue because public templates should fail closed unless an origin is explicitly trusted.
Reproduction / Code Location
- Start the Go gateway without
DIFFAUDIT_CORS_ALLOWED_ORIGINS or --cors-allowed-origins.
- Send a request with
Origin: https://attacker.example.
- The response includes
Access-Control-Allow-Origin: https://attacker.example instead of omitting CORS headers.
Relevant code:
apps/api-go/cmd/platform-api/main.go: CORS flag default/help text and allowed methods/headers.apps/api-go/internal/proxy/middleware.go: len(c.AllowedOrigins) == 0 returns true.apps/api-go/internal/proxy/middleware_test.go: tests currently assert the allow-all behavior.
Suggested Fix
- Change empty
AllowedOrigins to mean "disable browser cross-origin access".
- Keep exact-match allowlist behavior for configured origins.
- Keep same-origin/non-browser requests without an
Origin header working.
- Update flag/help text and CORS middleware tests.
- Keep
deploy/runtime.env.example as the example path for local web-to-api CORS.
Responsible Agent
Developer
Summary
The Go API gateway treats an empty CORS allowlist as "allow every Origin". That means a browser page from any origin can read gateway responses when the gateway is reachable, including optional audit control-plane routes.
Evidence
apps/api-go/cmd/platform-api/main.godefaults--cors-allowed-origins/DIFFAUDIT_CORS_ALLOWED_ORIGINSto an empty string and documents that asempty = allow all.apps/api-go/internal/proxy/middleware.goreflects the requestOriginwheneverAllowedOriginsis empty.GET, POST, DELETE, OPTIONSandContent-Type, Authorization, X-Request-IDheaders.apps/api-go/internal/proxy/server.goexposes optional audit control-plane routes such asPOST /api/v1/audit/jobsandDELETE /api/v1/audit/jobs/{jobID}.Impact
If a deployer exposes the Go gateway directly or binds it more broadly during evaluation, any website can make browser-readable requests to the gateway. In demo mode this leaks demo snapshot/control-plane data cross-origin; in live mode it can expand the attack surface around Runtime-backed audit job creation/cancellation if the gateway is otherwise reachable. This is a product safety issue because public templates should fail closed unless an origin is explicitly trusted.
Reproduction / Code Location
DIFFAUDIT_CORS_ALLOWED_ORIGINSor--cors-allowed-origins.Origin: https://attacker.example.Access-Control-Allow-Origin: https://attacker.exampleinstead of omitting CORS headers.Relevant code:
apps/api-go/cmd/platform-api/main.go: CORS flag default/help text and allowed methods/headers.apps/api-go/internal/proxy/middleware.go:len(c.AllowedOrigins) == 0returns true.apps/api-go/internal/proxy/middleware_test.go: tests currently assert the allow-all behavior.Suggested Fix
AllowedOriginsto mean "disable browser cross-origin access".Originheader working.deploy/runtime.env.exampleas the example path for local web-to-api CORS.Responsible Agent
Developer