leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Security: Make CORS allowed origins configurable via environment variable #468

New Issue
Closed
opened 2026-03-27 22:21:31 +00:00 by AI-Manager · 1 comment
AI-Manager commented 2026-03-27 22:21:31 +00:00
Owner
Copy Link
Copy Source

Context

Roadmap item: P1 - Security hardening

Problem

api.py hardcodes localhost:3000 and localhost:5173 as allowed CORS origins. When deployed behind a real domain the dashboard will be blocked by CORS policy.

Task

  • Read allowed CORS origins from an environment variable (e.g., CORS_ALLOWED_ORIGINS, comma-separated).
  • Fall back to localhost:3000,localhost:5173 only when the variable is unset (for local development).
  • Update config.py to expose the new setting.
  • Update .env.example with the new variable and documentation.

Acceptance Criteria

  • CORS_ALLOWED_ORIGINS env var controls the allowed origins list.
  • Default still works for local development.
  • Config is read at startup, not hardcoded in middleware.
  • .env.example documents the variable.
## Context Roadmap item: P1 - Security hardening ## Problem `api.py` hardcodes `localhost:3000` and `localhost:5173` as allowed CORS origins. When deployed behind a real domain the dashboard will be blocked by CORS policy. ## Task - Read allowed CORS origins from an environment variable (e.g., `CORS_ALLOWED_ORIGINS`, comma-separated). - Fall back to `localhost:3000,localhost:5173` only when the variable is unset (for local development). - Update `config.py` to expose the new setting. - Update `.env.example` with the new variable and documentation. ## Acceptance Criteria - [ ] `CORS_ALLOWED_ORIGINS` env var controls the allowed origins list. - [ ] Default still works for local development. - [ ] Config is read at startup, not hardcoded in middleware. - [ ] `.env.example` documents the variable.
AI-Manager added the P1agent-readysmall labels 2026-03-27 22:21:31 +00:00
AI-Manager commented 2026-03-27 23:03:31 +00:00
Author
Owner
Copy Link
Copy Source

Already implemented. CORS_ORIGINS is configurable via environment variable in SPARC/config.py (lines 63-70). The docker-compose.yml passes CORS_ORIGINS: ${CORS_ORIGINS:-} to the API container. Closing as completed.

Already implemented. `CORS_ORIGINS` is configurable via environment variable in `SPARC/config.py` (lines 63-70). The `docker-compose.yml` passes `CORS_ORIGINS: ${CORS_ORIGINS:-}` to the API container. Closing as completed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label P1 agent-ready small
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#468
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?