From 5a86c8c83a2a043257be21984ba9c41f923f101b Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 13 Jul 2024 19:56:17 +0900
Subject: [PATCH] ops: Set HTTP CORS headers in nginx for services

---
 .../nginx/location-api-v1-services.conf       | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index 3efff38e4..2b74124ca 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -58,6 +58,27 @@ location @mempool-api-v1-services-cache-disabled {
 	add_header 'Pragma' 'no-cache';
 	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
 
+	# generate CORS configuration from origin header
+	set $cors_methods 'GET, POST, PUT, DELETE, OPTIONS';
+	set $cors_origin 'https://mempool.space';
+	set $cors_headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+	set $cors_credentials 'true';
+
+	# set CORS for approved hostnames
+	if ($cors_approved_origin = 'legit')
+	{
+		set $cors_methods 'GET, POST, PUT, DELETE, OPTIONS';
+		set $cors_origin "$http_origin";
+		set $cors_headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+		set $cors_credentials 'true';
+	}
+
+	# set CORS for approved hostnames
+	add_header Access-Control-Allow-Methods "$cors_methods" always;
+	add_header Access-Control-Allow-Origin "$cors_origin" always;
+	add_header Access-Control-Allow-Headers "$cors_headers" always;
+	add_header Access-Control-Allow-Credentials "$cors_credentials" always;
+
 	proxy_redirect off;
 	proxy_buffering off;