Replace hardcoded `allow_origins=["*"]` with a parsed `CORS_ORIGINS` environment variable (comma-separated). Default remains `*` for backward compatibility — no existing deployment breaks — but the API now logs a startup warning prompting users to set it explicitly for production. Exception handlers now route their CORS headers through a shared `_cors_headers()` helper that mirrors Starlette's CORSMiddleware behavior: reflects the request Origin when allowed (handling the browser-rejected `*` + credentials combination correctly), and omits `Access-Control-Allow-Origin` for disallowed origins so error bodies don't leak cross-origin when `CORS_ORIGINS` is configured. Closes #585, #730. Based on the original work by Greg Grace in #597; rewritten on top of current main to address prior review feedback (load_dotenv kept at top, `import os` grouped with stdlib, `_cors_headers` defined before its exception-handler callers, origins parsed once at module load) and to choose a non-breaking default paired with a startup warning instead of a stricter-by-default origin. Co-authored-by: Greg Grace <ggrace@519lab.com> |
||
|---|---|---|
| .. | ||
| 0-START-HERE | ||
| 1-INSTALLATION | ||
| 2-CORE-CONCEPTS | ||
| 3-USER-GUIDE | ||
| 4-AI-PROVIDERS | ||
| 5-CONFIGURATION | ||
| 6-TROUBLESHOOTING | ||
| 7-DEVELOPMENT | ||
| assets | ||
| index.md | ||
| SECURITY_REVIEW.md | ||