Security: Enforce strict CORS domain restriction in production environment

This commit is contained in:
2026-06-07 09:26:45 +02:00
parent e7b5ea9a61
commit 9104f6123d

View File

@@ -378,6 +378,11 @@ _CORS_EXTRA_DEV_ORIGINS = [
_cors_env = config.CORS_ORIGINS_RAW
if _cors_env == "*" or not _cors_env:
if config.ENV == "production":
logger.error(
"CORS_ORIGINS must be configured with specific domains in production! Wildcard '*' or empty values are forbidden."
)
sys.exit("CORS configuration error: Wildcard '*' or empty CORS_ORIGINS is forbidden in production.")
logger.warning(
"CORS_ORIGINS not properly configured. Using permissive settings for development only!"
)