feat(api): sync api and api-server CORS headers (#51608)

api/src/plugins/cors.ts

@@ -3,8 +3,6 @@ import { FastifyPluginCallback } from 'fastify';
 import fp from 'fastify-plugin';
 import { HOME_LOCATION } from '../utils/env';
 
-// import { FREECODECAMP_NODE_ENV } from '../utils/env';
-
 const allowedOrigins = [
   'https://www.freecodecamp.dev',
   'https://www.freecodecamp.org',
@@ -34,9 +32,14 @@ const cors: FastifyPluginCallback = (fastify, _options, done) => {
     void reply
       .header(
         'Access-Control-Allow-Headers',
-        'Origin, X-Requested-With, Content-Type, Accept'
+        'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token'
       )
-      .header('Access-Control-Allow-Credentials', true);
+      .header('Access-Control-Allow-Credentials', true)
+      // These 4 are the only methods we use
+      .header('Access-Control-Allow-Methods', 'GET, PUT, POST, DELETE')
+      // Vary: Origin to prevent cache poisoning
+      // TODO: do we need Vary: Accept-Encoding?
+      .header('Vary', 'Origin, Accept-Encoding');
   });
 
   done();

api/src/server.test.ts

@@ -89,12 +89,13 @@ describe('server', () => {
       });
     });
 
-    test('should have Access-Control-Allow-(Headers+Credentials) headers', async () => {
+    test('should have CORS headers', async () => {
       const res = await superRequest('/', { method: 'GET' });
       expect(res.headers).toMatchObject({
         'access-control-allow-headers':
-          'Origin, X-Requested-With, Content-Type, Accept',
-        'access-control-allow-credentials': 'true'
+          'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token',
+        'access-control-allow-credentials': 'true',
+        'access-control-allow-methods': 'GET, PUT, POST, DELETE'
       });
     });
   });