From a556a39a67d15d3446f5c0b880d448f597ab3b2d Mon Sep 17 00:00:00 2001
From: abcxff <79597906+abcxff@users.noreply.github.com>
Date: Mon, 4 May 2026 18:13:18 -0400
Subject: [PATCH] fix(cors): use explicit header allowlist fallback instead of
 wildcard

---
 .../packages/rivetkit/src/common/actor-router-consts.ts     | 1 +
 rivetkit-typescript/packages/rivetkit/src/common/cors.ts    | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts b/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
index 4ad7a783b7..46540a6e71 100644
--- a/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
+++ b/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
@@ -46,6 +46,7 @@ export const WS_TEST_PROTOCOL_PATH = "test_path.";
  * Used for CORS.
  **/
 export const ALLOWED_PUBLIC_HEADERS = [
+	"Authorization",
 	"Content-Type",
 	"User-Agent",
 	HEADER_ACTOR_QUERY,
diff --git a/rivetkit-typescript/packages/rivetkit/src/common/cors.ts b/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
index 3b63012fcc..2300f1fb18 100644
--- a/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
+++ b/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
@@ -1,4 +1,7 @@
 import type { MiddlewareHandler } from "hono";
+import { ALLOWED_PUBLIC_HEADERS } from "@/common/actor-router-consts";
+
+const DEFAULT_ALLOWED_HEADERS = ALLOWED_PUBLIC_HEADERS.join(", ");
 
 /**
  * Simple CORS middleware that matches the gateway behavior.
@@ -18,7 +21,8 @@ export const cors = (): MiddlewareHandler => {
 		// Handle preflight OPTIONS request
 		if (c.req.method === "OPTIONS") {
 			const requestHeaders =
-				c.req.header("access-control-request-headers") || "*";
+				c.req.header("access-control-request-headers") ??
+				DEFAULT_ALLOWED_HEADERS;
 
 			c.header("access-control-allow-origin", origin);
 			c.header("access-control-allow-credentials", "true");