Rockachopa/Timmy-time-dashboard
1
0
Fork 2
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: strip CORS wildcards in production instead of just warning (#462)
All checks were successful
Tests / lint (pull_request) Successful in 6s
Details
Tests / test (pull_request) Successful in 1m51s
Details

Browse Source
This commit is contained in:
Alexander Whitestone
2026-03-19 15:04:53 -04:00
parent a751be3038
commit 06c92e52f7
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/dashboard/app.py
View File

@@ -484,12 +484,14 @@ app = FastAPI(
def _get_cors_origins() -> list[str]: def _get_cors_origins() -> list[str]:
"""Get CORS origins from settings, with sensible defaults.""" """Get CORS origins from settings, rejecting wildcards in production."""
origins = settings.cors_origins origins = settings.cors_origins
if "*" in origins and not settings.debug: if "*" in origins and not settings.debug:
logger.warning( logger.warning(
"CORS wildcard '*' used in non-debug mode; set CORS_ORIGINS to restrict allowed origins" "Wildcard '*' in CORS_ORIGINS stripped in production — "
"set explicit origins via CORS_ORIGINS env var"
) )
origins = [o for o in origins if o != "*"]
return origins return origins