Nginx allow only one origin

Question

I am setting up a production environment for my project, composed of a front-end (React / Vite.js) and a back-end (Express).

I'm using Ansible to deploy my application to an Ubuntu VPS. I managed to successfully deploy my front end and back end, everything seems to be working fine.

However, I'm having an issue with CORS restrictions on my backend in production. Whereas in a development environment, only authorized origins can make requests to my back-end thanks to this configuration:

this.app.use(
   corns({
     origin: [
       process.env.WEBSITE_URL,
       process.env.DASHBOARD_PUBLIC_DEV_URL_HTTPS,
       process.env.DASHBOARD_PUBLIC_DEV_URL_HTTP,
       process.env.DASHBOARD_LOCAL_HTTPS_URL,
       process.env.DASHBOARD_LOCAL_HTTP_URL,
       process.env.DASHBOARD_PUBLIC_PROD_URL_HTTPS
     ],
     credentials: true
   })
);

In production I feel like these CORS restrictions are not taken into account because any origin can make requests to my backend. I suspect this is related to the Nginx configuration.

Here are my Nginx configuration files for the front-end and back-end:

Configuration for the back end:

server {
     listen {{nginx_http_port}};
     server_name {{nginx_backend_domain}};

     rental / {
         proxy_pass http://localhost:{{nginx_backend_port}};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
     }
}

Configuration for the front end:

server {
     listen {{nginx_http_port}};
     server_name {{nginx_dashboard_domain}};

     rental / {
         root {{ nginx_frontend_dist_directory }};
         indexindex.html;
         try_files $uri $uri/ /index.html;
     }
}

Variables file for the configure_nginx role:

nginx_frontend_dist_directory: /var/www/dashboard/dist
nginx_frontend_template: nginx_site_dashboard.j2
nginx_backend_template: nginx_site_backend.j2
nginx_frontend_app_name: dashboard
nginx_backend_app_name: backend
nginx_backend_port: 3001
nginx_http_port: 80
nginx_dashboard_domain: dashboard.digital-express.cloud
nginx_backend_domain: api.digital-express.cloud

Does anyone have any idea why CORS restrictions are not enforced in production? Is this related to my Nginx configuration? Thank you in advance for your help !