From 9104f6123d6640d1893cef69f492a4235c994e73 Mon Sep 17 00:00:00 2001 From: sepehr Date: Sun, 7 Jun 2026 09:26:45 +0200 Subject: [PATCH] Security: Enforce strict CORS domain restriction in production environment --- main.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/main.py b/main.py index 3632ec3..d1ca76d 100644 --- a/main.py +++ b/main.py @@ -378,6 +378,11 @@ _CORS_EXTRA_DEV_ORIGINS = [ _cors_env = config.CORS_ORIGINS_RAW if _cors_env == "*" or not _cors_env: + if config.ENV == "production": + logger.error( + "CORS_ORIGINS must be configured with specific domains in production! Wildcard '*' or empty values are forbidden." + ) + sys.exit("CORS configuration error: Wildcard '*' or empty CORS_ORIGINS is forbidden in production.") logger.warning( "CORS_ORIGINS not properly configured. Using permissive settings for development only!" )