Secure Your API: Implementing CORS Handling in Go

Cross-Origin Resource Sharing (CORS) is a critical security mechanism that restricts web pages from making requests to a different domain than the one which served the web page. This challenge asks you to build a simple Go HTTP server that correctly handles CORS requests, allowing requests from a specified origin. Properly implementing CORS is essential for modern web applications that interact with APIs hosted on different domains.

Problem Description

You need to create a Go program that sets up an HTTP server and configures it to respond to requests with appropriate CORS headers. The server should accept GET requests to the root path ("/"). The server must allow requests originating from the domain http://localhost:3000. All other origins should be blocked. The server should return a simple "Hello, CORS!" message in the response body for allowed origins.

Key Requirements:

• Allow Origin: The server must explicitly allow requests from http://localhost:3000.
• Block Other Origins: Requests from any other origin should be rejected with a 403 Forbidden status code.
• CORS Headers: For allowed origins, the server must include the following CORS headers in the response:
  • Access-Control-Allow-Origin: Set to http://localhost:3000.
  • Access-Control-Allow-Methods: Set to GET.
  • Access-Control-Allow-Headers: Set to *.
• HTTP Method: The server should only respond to GET requests. Other methods should return a 405 Method Not Allowed status code.
• Response Body: For allowed origins and GET requests, the response body should be "Hello, CORS!".

Expected Behavior:

• A GET request from http://localhost:3000 should receive a 200 OK status code, the specified CORS headers, and the "Hello, CORS!" response body.
• A GET request from any other origin (e.g., http://example.com) should receive a 403 Forbidden status code and no CORS headers.
• A request with any other HTTP method (e.g., POST, PUT) should receive a 405 Method Not Allowed status code.

Edge Cases to Consider:

• What happens if the Origin header is missing from the request? (Treat as blocked for simplicity)
• How should the server handle preflight requests (OPTIONS)? (Not required for this challenge, but good to be aware of)

Examples

Example 1:

Input: GET request to "/" from http://localhost:3000
Output: 200 OK
Headers:
  Access-Control-Allow-Origin: http://localhost:3000
  Access-Control-Allow-Methods: GET
  Access-Control-Allow-Headers: *
Body: "Hello, CORS!"

Explanation: The request is from the allowed origin and uses the correct method. The server responds with the expected headers and body.

Example 2:

Input: GET request to "/" from http://example.com
Output: 403 Forbidden
Headers: None
Body: None

Explanation: The request is from a blocked origin. The server responds with a 403 Forbidden status code and no CORS headers.

Example 3:

Input: POST request to "/" from http://localhost:3000
Output: 405 Method Not Allowed
Headers: None
Body: None

Explanation: The request uses an unsupported method (POST). The server responds with a 405 Method Not Allowed status code.

Constraints

• The server must listen on port 8080.
• The code should be well-structured and readable.
• The solution should be efficient and avoid unnecessary allocations.
• The allowed origin is fixed as http://localhost:3000. Do not allow for dynamic origin configuration.

Notes

• Consider using the net/http package for creating the HTTP server.
• The Origin header is crucial for CORS. Make sure to inspect it in each request.
• Focus on correctly setting the CORS headers for allowed origins and blocking other origins.
• This challenge focuses on the core CORS handling logic. Error handling and more advanced features (like preflight requests) are not required.