From 955da8899bd8e732d97199b97571d9470b2b97dd Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Sun, 5 Apr 2026 14:02:55 +0900
Subject: [PATCH] fix: allow server-to-server requests to /health without CORS
 block

---
 server.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/server.js b/server.js
index 5b87be80..fbd74b5b 100644
--- a/server.js
+++ b/server.js
@@ -136,8 +136,21 @@ app.use((req, res, next) => {
     next();
 });
 
+// /health はサーバー間プロキシ経由で origin なしリクエストが来るため先に CORS * で通す
+app.use((req, res, next) => {
+    if (req.path === '/brain/api/health' || req.path === '/api/health') {
+        res.setHeader('Access-Control-Allow-Origin', '*');
+    }
+    next();
+});
+
 app.use(cors({
     origin: (origin, cb) => {
+        if (!origin) {
+            // origin なし = サーバー間リクエスト（curl / Node fetch 等）。/health のみ通過させる
+            // それ以外のエンドポイントはCSRF対策で拒否
+            return cb(null, false);
+        }
         if (isAllowedOrigin(origin)) cb(null, true);
         else cb(new Error('CORS not allowed'));
     },