Nester API CORS Policy Flaw: Wildcard Origin Exposes DeFi User Data to Cross-Site Theft

A critical security misconfiguration in Nester's backend API exposes authenticated user data and financial operations to potential cross-site theft. The API's CORS (Cross-Origin Resource Sharing) policy is set to a wildcard (`Access-Control-Allow-Origin: *`), instructing browsers to allow any website on the internet to make requests to the Nester API and read the full response. For a DeFi platform handling wallet authentication, bank settlement details, vault management, and sensitive portfolio data, this represents a significant over-permission and a direct vector for data exfiltration.

The flaw is located in the `apps/api/internal/middleware/cors.go` file, as identified by backend and frontend security auditors. While the API uses Bearer token authentication—which mitigates classic Cross-Site Request Forgery (CSRF)—the wildcard CORS policy enables a more sophisticated attack chain. A malicious website could silently read authenticated API responses if it can obtain a user's JWT token through any means, such as a separate cross-site scripting (XSS) vulnerability, local storage theft, or if the token is ever leaked in a URL parameter. This transforms a stolen token into a direct pipeline for harvesting live financial data.

The risk is not theoretical; it is a concrete architectural flaw that lowers the barrier for credential-based attacks. The exposure of settlement requests and vault management functions means that an attacker with a compromised token could monitor and potentially intercept sensitive financial operations. This misconfiguration places undue trust in the browser's same-origin policy, effectively disabling a core security layer for all API endpoints and creating a persistent data leak risk for all authenticated users until the CORS policy is restricted to explicitly trusted origins.