nginx: add CORS for /storage

[jokester]

moeflow-com/moeflow-frontend#41 may require this preset , if site and /storage are in different origins

Summary by CodeRabbit

• Documentation
  • Added a commented CORS configuration block with explanatory notes (origin, credentials, methods, headers, max-age) to help users enable CORS when needed. Disabled by default; no behavior change.
• Chores
  • Minor formatting cleanup for readability.
  • No runtime or functional changes; existing behavior remains unchanged.

[coderabbitai]

Walkthrough

Adds a commented CORS configuration block to the non-SSL server’s /storage location in nginx/templates/default.conf.template, including documentation comments and disabled add_header directives. Inserts a blank line before the alias directive. No functional changes; headers remain inactive unless uncommented.

Changes

Cohort / File(s)	Summary
Nginx template CORS comments nginx/templates/default.conf.template	Inserted documented, commented CORS add_header directives under non-SSL /storage location; added heading comment and a blank line before alias. No runtime behavior change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I twitch my ears at CORS so neat,
Commented crumbs, a future treat.
Headers snooze, no traffic stirred,
Await the day they’re uncommented, heard.
In config fields I softly hop—
Prepared paths, a tidy stop.
🥕 Nginx dreams; I’ll guard the shop.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "nginx: add CORS for /storage" is concise, clearly scoped, and accurately summarizes the PR's primary change (adding a CORS preset to the nginx /storage location). It is specific enough for a teammate scanning history and avoids unnecessary noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

nginx/templates/default.conf.template (1)

35-41: CORS preset needs fixes before use: avoid wildcard+credentials, handle OPTIONS, add always, and expose range headers.

If enabled as‑is, this template would:

• Send Access-Control-Allow-Credentials: true with * origin (invalid per CORS).
• Miss HEAD method and preflight handling for OPTIONS.
• Omit always, so headers won’t appear on 206/4xx and some preflight responses.
• Omit Access-Control-Expose-Headers needed for range/streaming.

Apply this improved commented preset so it’s correct when uncommented:

-        # Uncomment the following lines to allow CORS
-        # add_header 'Access-Control-Allow-Origin' '*';
-        # add_header 'Access-Control-Allow-Credentials' 'true';
-        # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-        # add_header 'Access-Control-Max-Age' 3600;
+        # CORS (public, no credentials). Safe default when /storage is read-only:
+        # add_header 'Access-Control-Allow-Origin' '*' always;
+        # add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS' always;
+        # add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Range' always;
+        # add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+        # add_header 'Access-Control-Max-Age' 86400 always;
+        # if ($request_method = 'OPTIONS') { return 204; }
+
+        # If you must support credentials, DO NOT use '*' for ACAO.
+        # Prefer whitelisting and echoing the origin (example shown below).

Example (credentials + whitelist). Place near http{} or server{} and then uncomment in this location:

# http { ... }
# map $http_origin $cors_origin {
#     default "";
#     "~^https?://(app|www)\.example\.com$" $http_origin;
# }
# In location /storage:
# add_header 'Access-Control-Allow-Origin' $cors_origin always;
# add_header 'Vary' 'Origin' always;
# add_header 'Access-Control-Allow-Credentials' 'true' always;
# add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS' always;
# add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Range' always;
# add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
# add_header 'Access-Control-Max-Age' 86400 always;
# if ($request_method = 'OPTIONS') { return 204; }

Please confirm:

• Do you need credentials? If yes, which exact origins should be allowed?
• What Nginx version are you deploying? (always requires 1.7.5+, common but worth confirming.)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd400b7 and 84c0fc2.

📒 Files selected for processing (1)

• nginx/templates/default.conf.template (1 hunks)