feat: update cors * csrf

.env.example

@@ -4,6 +4,10 @@ DATABASE_URL=postgresql://postgres:password123@127.0.0.1:5432/postgres
 PAYLOAD_SECRET=your_payload_secret
 NODE_ENV=development
 
+# Public URL of this Payload app (no trailing slash). Used for admin links; Payload also adds it to CSRF allowlist.
+# Example production: https://api.hanoman.co.id — optional for pure localhost dev.
+# PAYLOAD_SERVER_URL=
+
 # Contact endpoint configuration
 CONTACT_TO_EMAIL=team@example.com
 FRONTEND_ORIGIN=http://localhost:3000

src/payload.config.ts

@@ -18,6 +18,23 @@ const dirname = path.dirname(filename)
 
 /** Upload collection `media` uses Payload default local storage (`./media` relative to the app cwd). */
 
+/**
+ * Trusted browser `Origin` values for:
+ * - `cors`: REST/GraphQL dari frontend
+ * - `csrf`: pengambilan JWT dari cookie (admin / sesi) — Origin harus ada di daftar ini
+ */
+const trustedBrowserOrigins: string[] = [
+  'http://localhost:3000',
+  'http://localhost:3001',
+  'http://127.0.0.1:3000',
+  'http://127.0.0.1:3001',
+  'https://hanoman.co.id',
+  'https://www.hanoman.co.id',
+]
+
+/** URL publik backend (mis. https://api.hanoman.co.id). Kosongkan di lokal jika akses lewat localhost:3000. */
+const serverURL = process.env.PAYLOAD_SERVER_URL?.trim() ?? ''
+
 export default buildConfig({
   admin: {
     user: Users.slug,
@@ -37,7 +54,9 @@ export default buildConfig({
     },
   }),
   sharp,
-  cors: '*',
+  ...(serverURL ? { serverURL } : {}),
+  cors: trustedBrowserOrigins,
+  csrf: trustedBrowserOrigins,
   // Rate limiting is implemented in src/middleware.ts
   // Configuration: 500 requests per 15 minutes, trustProxy: true
 })