Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CORS default: restrict allowed origins from wildcard to explicit list #8

New Issue
Open
opened 2026-04-20 09:34:50 +00:00 by sharang · 0 comments
sharang commented 2026-04-20 09:34:50 +00:00
Owner
Copy Link
Copy Source

Problem

backend-compliance/main.py:70:

ALLOWED_ORIGINS = os.getenv("CORS_ORIGINS", "*").split(",")

When CORS_ORIGINS is not set, every origin is allowed. Combined with the missing auth middleware (#4), this means any webpage can make authenticated API requests on behalf of a logged-in user.

Required Actions

  1. Change default to "" — no origins allowed unless explicitly configured
  2. Add allow_credentials=True only if using httpOnly cookie auth (see M5 frontend issue)
  3. Validate that configured origins are well-formed URLs at startup
  4. Apply same fix to any other FastAPI apps in the repo (dsms-gateway, document-crawler)

Acceptance Criteria

  • Missing CORS_ORIGINS env var causes startup warning and allows zero cross-origin requests
  • CORS headers are absent on responses when origin is not in the allowlist
  • Depends on: #7 (env var enforcement)
## Problem `backend-compliance/main.py:70`: ```python ALLOWED_ORIGINS = os.getenv("CORS_ORIGINS", "*").split(",") ``` When `CORS_ORIGINS` is not set, every origin is allowed. Combined with the missing auth middleware (#4), this means any webpage can make authenticated API requests on behalf of a logged-in user. ## Required Actions 1. Change default to `""` — no origins allowed unless explicitly configured 2. Add `allow_credentials=True` only if using httpOnly cookie auth (see M5 frontend issue) 3. Validate that configured origins are well-formed URLs at startup 4. Apply same fix to any other FastAPI apps in the repo (dsms-gateway, document-crawler) ## Acceptance Criteria - Missing `CORS_ORIGINS` env var causes startup warning and allows zero cross-origin requests - CORS headers are absent on responses when origin is not in the allowlist - Depends on: #7 (env var enforcement)
sharang added this to the M1: Security Foundation milestone 2026-04-20 09:34:50 +00:00
sharang added the severity: highsecurity labels 2026-04-20 09:34:50 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
config
Env vars, secrets management, startup validation
 data-integrity
Transactions, indexes, pagination
 frontend
Next.js, client-side concerns
 observability
Logging, audit trails, health checks
 reliability
Error handling, retries, circuit breakers
 security
Auth, secrets, injection, tenant isolation
 severity: critical
System-level risk, data breach or full outage
 severity: high
Significant risk, must fix before go-live
 severity: medium
Important but not blocking go-live
 testing
Test coverage, integration tests
No Label security severity: high
Milestone
No items
No Milestone M1: Security Foundation
Projects
Clear projects
No project
Assignees
Clear assignees
sharang (Sharang Parnerkar) Benjamin_Boenisch
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#8
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?