From ea34c17f4e004350e5e08faab44076de069317a0 Mon Sep 17 00:00:00 2001
From: Sebastion <sebastion@sebastion.dev>
Date: Fri, 27 Mar 2026 01:35:20 +0000
Subject: [PATCH] fix: reject requests with missing Origin header in origin
 validation middleware

The originValidationMiddleware only checked whether a present Origin header
matched the allowlist. When the Origin header was absent (as with curl,
scripts, or any non-browser HTTP client), the check was skipped entirely,
allowing unauthenticated access to all protected endpoints.

Changed the condition from `if (origin && !allowedOrigins.includes(origin))`
to `if (!origin || !allowedOrigins.includes(origin))` so that requests
without an Origin header are also rejected with 403 Forbidden.

This prevents non-browser CSRF and unauthorized access from tools that
do not send an Origin header, which is especially critical when combined
with DANGEROUSLY_OMIT_AUTH=true.

CWE-346: Origin Validation Error
---
 server/src/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/index.ts b/server/src/index.ts
index 4d1fffa29..4570d512f 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -203,7 +203,7 @@ const originValidationMiddleware = (
     defaultOrigin,
   ];
 
-  if (origin && !allowedOrigins.includes(origin)) {
+  if (!origin || !allowedOrigins.includes(origin)) {
     console.error(`Invalid origin: ${origin}`);
     res.status(403).json({
       error: "Forbidden - invalid origin",