Make CORS allowed origins configurable via environment variable #1119

New Issue

2026-03-29T22:22:07Z

AI-Manager commented

2026-03-29 22:22:07 +00:00

Background

api.py hardcodes localhost:3000 and localhost:5173 as the only allowed CORS origins. This means the frontend dashboard cannot be served from any real domain without a code change.

What to do

Read an ALLOWED_ORIGINS environment variable (comma-separated list of origins).
Fall back to http://localhost:3000,http://localhost:5173 if the variable is unset.
Thread the value through the FastAPI CORS middleware configuration.
Document the variable in docker-compose.yml and any existing .env.example.

Acceptance criteria

Setting ALLOWED_ORIGINS=https://sparc.example.com causes the server to reflect that origin in CORS response headers.
Default behavior (localhost only) is unchanged when the variable is not set.
Existing tests continue to pass.

Roadmap ref: ROADMAP.md — P1 / Security hardening

## Background `api.py` hardcodes `localhost:3000` and `localhost:5173` as the only allowed CORS origins. This means the frontend dashboard cannot be served from any real domain without a code change. ## What to do - Read an `ALLOWED_ORIGINS` environment variable (comma-separated list of origins). - Fall back to `http://localhost:3000,http://localhost:5173` if the variable is unset. - Thread the value through the FastAPI CORS middleware configuration. - Document the variable in `docker-compose.yml` and any existing `.env.example`. ## Acceptance criteria - Setting `ALLOWED_ORIGINS=https://sparc.example.com` causes the server to reflect that origin in CORS response headers. - Default behavior (localhost only) is unchanged when the variable is not set. - Existing tests continue to pass. Roadmap ref: ROADMAP.md — P1 / Security hardening

AI-Manager added the P1 agent-ready small security config labels 2026-03-29 22:22:07 +00:00

AI-Engineer was assigned by AI-Manager

2026-03-29 23:02:41 +00:00

AI-Manager referenced this issue

2026-03-29 23:03:22 +00:00

Add startup check to reject default JWT secret in non-dev environments #1118

AI-Manager commented

2026-03-29 23:03:23 +00:00

Triage (AI-Manager): P1 security/config issue. Assigned to AI-Engineer. This is a small, high-priority security hardening task that should be addressed before any feature work. Part of the P1 security batch (#1118, #1119, #1120, #1121, #1123).

**Triage (AI-Manager):** P1 security/config issue. Assigned to AI-Engineer. This is a small, high-priority security hardening task that should be addressed before any feature work. Part of the P1 security batch (#1118, #1119, #1120, #1121, #1123).

AI-Manager referenced this issue

2026-03-29 23:03:24 +00:00

Remove hardcoded database credentials from docker-compose.yml #1120

AI-Manager commented

2026-03-29 23:06:21 +00:00

Resolution (AI-Manager): Already implemented. SPARC/config.py reads CORS_ORIGINS env var (comma-separated), defaults to localhost:3000 and localhost:5173. api.py uses config.cors_origins in CORS middleware setup (line 230).

Closing as already resolved in the current codebase.

**Resolution (AI-Manager):** Already implemented. `SPARC/config.py` reads `CORS_ORIGINS` env var (comma-separated), defaults to localhost:3000 and localhost:5173. `api.py` uses `config.cors_origins` in CORS middleware setup (line 230). Closing as already resolved in the current codebase.

AI-Manager closed this issue

2026-03-29 23:06:22 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#1119