From 36b62be2e18ef7f6c0243b7c0ccc29bc6fd1f6ed Mon Sep 17 00:00:00 2001
From: salvacybersec <salva@opsecti.local>
Date: Tue, 11 Nov 2025 07:42:40 +0300
Subject: [PATCH] corsu siktim v2

---
 backend/src/app.js | 43 ++++++++++++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/backend/src/app.js b/backend/src/app.js
index 71a3401..60355db 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -12,30 +12,34 @@ const { apiLimiter } = require('./middlewares/rateLimiter');
 const app = express();
 const PORT = process.env.PORT || 3000;
 
-// Security middleware - CSP ayarlarını gevşet (inline script'ler için)
+// Security middleware - CSP'yi devre dışı bırak (CORS ve mixed content sorunları için)
 app.use(helmet({
-  contentSecurityPolicy: {
-    directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "http://*", "https://*"],
-      styleSrc: ["'self'", "'unsafe-inline'", "http://*", "https://*"],
-      imgSrc: ["'self'", "data:", "http://*", "https://*"],
-      connectSrc: ["'self'", "http://*", "https://*"],
-      fontSrc: ["'self'", "data:", "http://*", "https://*"],
-      objectSrc: ["'none'"],
-      mediaSrc: ["'self'"],
-      frameSrc: ["'none'"],
-    },
-  },
+  contentSecurityPolicy: false, // CSP'yi tamamen kapat
   crossOriginEmbedderPolicy: false,
+  crossOriginResourcePolicy: { policy: "cross-origin" },
 }));
 
-// CORS - Her yerden erişime izin ver
+// CORS - Her yerden erişime izin ver (tüm route'larda)
+app.use((req, res, next) => {
+  res.header('Access-Control-Allow-Origin', '*');
+  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
+  res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
+  res.header('Access-Control-Allow-Credentials', 'true');
+  
+  // OPTIONS request'i için hemen cevap ver
+  if (req.method === 'OPTIONS') {
+    return res.sendStatus(200);
+  }
+  
+  next();
+});
+
+// CORS middleware'i de ekle (çift güvence)
 app.use(cors({
-  origin: true, // Tüm origin'lere izin ver
+  origin: '*', // Tüm origin'lere izin ver
   credentials: true,
   methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
-  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'Origin', 'Accept'],
 }));
 
 // Body parsing middleware
@@ -101,6 +105,11 @@ app.get('*', (req, res, next) => {
     return next();
   }
   
+  // CORS headers for HTML
+  res.header('Access-Control-Allow-Origin', '*');
+  res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
+  res.header('Access-Control-Allow-Headers', 'Content-Type');
+  
   // Serve frontend index.html for all other routes
   const frontendPath = path.join(__dirname, 'public', 'dist', 'index.html');
   res.sendFile(frontendPath, (err) => {