From 6b89f7bd7213ce5202ad391f9dca3aebb97a726a Mon Sep 17 00:00:00 2001
From: OlgunR <OlgunR@DD-PC-ENT05N>
Date: Mon, 19 Jan 2026 17:08:55 +0100
Subject: [PATCH] Improve CORS config: block all if no origins specified

Refined CORS policy in Program.cs for better security. In development, all origins are allowed. In production, only configured origins are allowed; if none are specified, all cross-origin requests are blocked by default. Switched to Array.Empty<string>() for clarity.
---
 DbFirst.API/Program.cs | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/DbFirst.API/Program.cs b/DbFirst.API/Program.cs
index 3cc1af7..2fb8a22 100644
--- a/DbFirst.API/Program.cs
+++ b/DbFirst.API/Program.cs
@@ -1,6 +1,7 @@
 using DbFirst.API.Middleware;
 using DbFirst.Application;
 using DbFirst.Application.Repositories;
+using DbFirst.Domain;
 using DbFirst.Infrastructure;
 using DbFirst.Infrastructure.Repositories;
 
@@ -15,10 +16,10 @@ builder.Services.AddSwaggerGen();
 // In any case, dont let them to free to use without cors. if there is no origin specified, block all.
 // In development you can keep it easy.
 builder.Services.AddCors(options =>
-{    
+{
     options.AddDefaultPolicy(policy =>
     {
-        if(builder.Environment.IsDevelopment())
+        if (builder.Environment.IsDevelopment())
         {
             policy.AllowAnyOrigin()
                   .AllowAnyHeader()
@@ -26,10 +27,14 @@ builder.Services.AddCors(options =>
         }
         else
         {
-            var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? [];
-            policy.WithOrigins(origins)
-                  .AllowAnyHeader()
-                  .AllowAnyMethod();
+            var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
+            if (origins.Length > 0)
+            {
+                policy.WithOrigins(origins)
+                      .AllowAnyHeader()
+                      .AllowAnyMethod();
+            }
+            // if no origins configured, deny all by leaving policy without allowances
         }
     });
 });