[loop-cycle-536] fix: validate_startup checks CORS wildcard in production (#472) (#478)

2026-03-19 15:29:26 -04:00
parent 3c3aca57f1
commit dbc2fd5b0f
2 changed files with 39 additions and 0 deletions
--- a/src/config.py
+++ b/src/config.py
@@ -469,8 +469,19 @@ def validate_startup(*, force: bool = False) -> None:
                ", ".join(_missing),
            )
            sys.exit(1)
+        if "*" in settings.cors_origins:
+            _startup_logger.error(
+                "PRODUCTION SECURITY ERROR: CORS wildcard '*' is not allowed "
+                "in production. Set CORS_ORIGINS to explicit origins."
+            )
+            sys.exit(1)
        _startup_logger.info("Production mode: security secrets validated ✓")
    else:
+        if "*" in settings.cors_origins:
+            _startup_logger.warning(
+                "SEC: CORS_ORIGINS contains wildcard '*' — "
+                "restrict to explicit origins before deploying to production."
+            )
        if not settings.l402_hmac_secret:
            _startup_logger.warning(
                "SEC: L402_HMAC_SECRET is not set — "