From 06c92e52f7c24ea0c48852633ad22a050136407d Mon Sep 17 00:00:00 2001
From: Alexander Whitestone <alexpaynex@gmail.com>
Date: Thu, 19 Mar 2026 15:04:53 -0400
Subject: [PATCH] fix: strip CORS wildcards in production instead of just
 warning (#462)

---
 src/dashboard/app.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/dashboard/app.py b/src/dashboard/app.py
index c5021ab4..262aa8bd 100644
--- a/src/dashboard/app.py
+++ b/src/dashboard/app.py
@@ -484,12 +484,14 @@ app = FastAPI(
 
 
 def _get_cors_origins() -> list[str]:
-    """Get CORS origins from settings, with sensible defaults."""
+    """Get CORS origins from settings, rejecting wildcards in production."""
     origins = settings.cors_origins
     if "*" in origins and not settings.debug:
         logger.warning(
-            "CORS wildcard '*' used in non-debug mode; set CORS_ORIGINS to restrict allowed origins"
+            "Wildcard '*' in CORS_ORIGINS stripped in production — "
+            "set explicit origins via CORS_ORIGINS env var"
         )
+        origins = [o for o in origins if o != "*"]
     return origins