Security: Enforce strict CORS domain restriction in production environment
This commit is contained in:
5
main.py
5
main.py
@@ -378,6 +378,11 @@ _CORS_EXTRA_DEV_ORIGINS = [
|
|||||||
|
|
||||||
_cors_env = config.CORS_ORIGINS_RAW
|
_cors_env = config.CORS_ORIGINS_RAW
|
||||||
if _cors_env == "*" or not _cors_env:
|
if _cors_env == "*" or not _cors_env:
|
||||||
|
if config.ENV == "production":
|
||||||
|
logger.error(
|
||||||
|
"CORS_ORIGINS must be configured with specific domains in production! Wildcard '*' or empty values are forbidden."
|
||||||
|
)
|
||||||
|
sys.exit("CORS configuration error: Wildcard '*' or empty CORS_ORIGINS is forbidden in production.")
|
||||||
logger.warning(
|
logger.warning(
|
||||||
"CORS_ORIGINS not properly configured. Using permissive settings for development only!"
|
"CORS_ORIGINS not properly configured. Using permissive settings for development only!"
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user