fix(security): restrict CORS to specific allowed origins

DevanshuNEU · DevanshuNEU · commit cbb51c882d45 · 2025-11-24T20:20:35.000-05:00
Fixes #4 SECURITY VULNERABILITY: Previous configuration allowed ANY origin to make authenticated requests, enabling CSRF attacks from malicious websites. Changes: - Replace allow_origins=["*"] with environment-based configuration - Add ALLOWED_ORIGINS environment variable (comma-separated list) - Restrict allow_methods to specific HTTP methods (GET, POST, PUT, DELETE, OPTIONS) - Restrict allow_headers to required headers (Authorization, Content-Type) - Default to http://localhost:3000 for local development Configuration: - Development: ALLOWED_ORIGINS=http://localhost:3000 - Production: ALLOWED_ORIGINS=https://app.vercel.app,https://custom-domain.com Testing: ✅ Verified localhost:3000 receives CORS headers ✅ Verified unauthorized origins are blocked ✅ Backend health check confirms proper CORS restrictions Files modified: - backend/main.py: Updated CORS middleware configuration - .env.example: Added ALLOWED_ORIGINS documentation - backend/.env.example: Added ALLOWED_ORIGINS with example Impact: Prevents cross-site request forgery attacks in production
diff --git a/.env.example b/.env.example
@@ -20,6 +20,12 @@ SUPABASE_JWT_SECRET=your-jwt-secret  # From Project Settings → API → JWT Sec
 API_KEY=change-this-secret-key-for-production
 BACKEND_API_URL=http://backend:8000
 
+# CORS Configuration (Security)
+# Comma-separated list of allowed origins
+# Development: http://localhost:3000
+# Production: https://your-app.vercel.app,https://your-domain.com
+ALLOWED_ORIGINS=http://localhost:3000
+
 # Redis (auto-configured in Docker, set REDIS_URL in Railway)
 REDIS_HOST=redis
 REDIS_PORT=6379
diff --git a/backend/.env.example b/backend/.env.example
@@ -12,6 +12,9 @@ SUPABASE_JWT_SECRET=your_jwt_secret_here
 BACKEND_API_URL=http://localhost:8000
 API_KEY=dev-secret-key
 
+# CORS Configuration (Security)
+ALLOWED_ORIGINS=http://localhost:3000
+
 # Redis Cache
 REDIS_HOST=localhost
 REDIS_PORT=6379
diff --git a/backend/main.py b/backend/main.py
@@ -38,13 +38,15 @@
 # Include routers
 app.include_router(auth_router)
 
-# CORS middleware
+# CORS middleware - Restrict to specific origins for security
+ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000").split(",")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=ALLOWED_ORIGINS,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Authorization", "Content-Type"],
 )
 
 # Request size limit middleware
