Security: Enforce strict CORS domain restriction in production environment
This commit is contained in:
5
main.py
5
main.py
@@ -378,6 +378,11 @@ _CORS_EXTRA_DEV_ORIGINS = [
|
||||
|
||||
_cors_env = config.CORS_ORIGINS_RAW
|
||||
if _cors_env == "*" or not _cors_env:
|
||||
if config.ENV == "production":
|
||||
logger.error(
|
||||
"CORS_ORIGINS must be configured with specific domains in production! Wildcard '*' or empty values are forbidden."
|
||||
)
|
||||
sys.exit("CORS configuration error: Wildcard '*' or empty CORS_ORIGINS is forbidden in production.")
|
||||
logger.warning(
|
||||
"CORS_ORIGINS not properly configured. Using permissive settings for development only!"
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user