fix: harden CORS origin allow list

Fixes #322
2026-06-19 08:28:10 +02:00 · 2026-05-27 15:36:48 +05:30 · 2026-05-27 15:36:48 +05:30 · 6f79bd67eb
commit 6f79bd67eb
parent 6d78537297
5 changed files with 38 additions and 11 deletions
--- a/api/constants.py
+++ b/api/constants.py
@ -26,6 +26,9 @@ DATABASE_URL = os.environ["DATABASE_URL"]
 REDIS_URL = os.environ["REDIS_URL"]

 DEPLOYMENT_MODE = os.getenv("DEPLOYMENT_MODE", "oss")
+CORS_ALLOWED_ORIGINS = [
+    o.strip() for o in os.getenv("CORS_ALLOWED_ORIGINS", "").split(",") if o.strip()
+]
 AUTH_PROVIDER = os.getenv("AUTH_PROVIDER", "local")
 DOGRAH_MPS_SECRET_KEY = os.getenv("DOGRAH_MPS_SECRET_KEY", None)
 MPS_API_URL = os.getenv("MPS_API_URL", "https://services.dograh.com")