From 9578330c870ba9599881d44e1b0370ecf7fb5914 Mon Sep 17 00:00:00 2001
From: kimi <kimi@localhost>
Date: Thu, 19 Mar 2026 14:58:10 -0400
Subject: [PATCH] fix: replace wildcard CORS default with explicit localhost
 origins

The cors_origins setting defaulted to ["*"], which passed through
unchanged in production (non-debug) mode. Now defaults to explicit
localhost origins, and _get_cors_origins() strips any wildcards in
production with a warning.

Fixes #462

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/config.py        |  7 ++++++-
 src/dashboard/app.py | 20 ++++++++++++--------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/config.py b/src/config.py
index 7ba85b3e..052285ae 100644
--- a/src/config.py
+++ b/src/config.py
@@ -138,7 +138,12 @@ class Settings(BaseSettings):
 
     # CORS allowed origins for the web chat interface (Gitea Pages, etc.)
     # Set CORS_ORIGINS as a comma-separated list, e.g. "http://localhost:3000,https://example.com"
-    cors_origins: list[str] = ["*"]
+    cors_origins: list[str] = [
+        "http://localhost:3000",
+        "http://localhost:8000",
+        "http://127.0.0.1:3000",
+        "http://127.0.0.1:8000",
+    ]
 
     # Trusted hosts for the Host header check (TrustedHostMiddleware).
     # Set TRUSTED_HOSTS as a comma-separated list. Wildcards supported (e.g. "*.ts.net").
diff --git a/src/dashboard/app.py b/src/dashboard/app.py
index 4e247022..aeac2724 100644
--- a/src/dashboard/app.py
+++ b/src/dashboard/app.py
@@ -484,15 +484,19 @@ app = FastAPI(
 
 
 def _get_cors_origins() -> list[str]:
-    """Get CORS origins from settings, with sensible defaults."""
+    """Get CORS origins from settings, rejecting wildcards in production."""
     origins = settings.cors_origins
-    if settings.debug and origins == ["*"]:
-        return [
-            "http://localhost:3000",
-            "http://localhost:8000",
-            "http://127.0.0.1:3000",
-            "http://127.0.0.1:8000",
-        ]
+    if not settings.debug and "*" in origins:
+        logger.warning(
+            "Wildcard '*' in CORS_ORIGINS ignored in production — "
+            "set explicit origins via CORS_ORIGINS env var"
+        )
+        origins = [o for o in origins if o != "*"]
+        if not origins:
+            origins = [
+                "http://localhost:3000",
+                "http://localhost:8000",
+            ]
     return origins