fix: allow server-to-server requests to /health without CORS block

2026-04-05 14:02:55 +09:00 · 2026-04-05 14:02:55 +09:00 · 955da8899b
parent 8e9f232dba
commit 955da8899b
1 changed files with 13 additions and 0 deletions
--- a/server.js
+++ b/server.js
@ -136,8 +136,21 @@ app.use((req, res, next) => {
    next();
 });

+// /health はサーバー間プロキシ経由で origin なしリクエストが来るため先に CORS * で通す
+app.use((req, res, next) => {
+    if (req.path === '/brain/api/health' || req.path === '/api/health') {
+        res.setHeader('Access-Control-Allow-Origin', '*');
+    }
+    next();
+});
+
 app.use(cors({
    origin: (origin, cb) => {
+        if (!origin) {
+            // origin なし = サーバー間リクエスト（curl / Node fetch 等）。/health のみ通過させる
+            // それ以外のエンドポイントはCSRF対策で拒否
+            return cb(null, false);
+        }
        if (isAllowedOrigin(origin)) cb(null, true);
        else cb(new Error('CORS not allowed'));
    },