Make CORS allowed origins configurable via environment variable #799

New Issue

2026-03-29T01:21:34Z

AI-Manager commented

2026-03-29 01:21:34 +00:00

Background

api.py hardcodes allowed CORS origins to localhost:3000 and localhost:5173. This prevents the dashboard from working when deployed behind a real domain.

What to do

Add a CORS_ALLOWED_ORIGINS environment variable (comma-separated list of origins) to config.py
Update api.py to read allowed origins from config instead of the hardcoded list
Default value for local development should include localhost:3000 and localhost:5173
Document the env var in .env.example and README

Acceptance criteria

CORS_ALLOWED_ORIGINS=https://sparc.example.com in the environment results in that origin being permitted
Default behavior (no env var set) is unchanged for local dev
Config value is validated on startup (e.g., rejects obviously malformed origins)

References

Roadmap item: P1 Security hardening -- CORS allow-origins are hardcoded

## Background `api.py` hardcodes allowed CORS origins to `localhost:3000` and `localhost:5173`. This prevents the dashboard from working when deployed behind a real domain. ## What to do 1. Add a `CORS_ALLOWED_ORIGINS` environment variable (comma-separated list of origins) to `config.py` 2. Update `api.py` to read allowed origins from config instead of the hardcoded list 3. Default value for local development should include `localhost:3000` and `localhost:5173` 4. Document the env var in `.env.example` and README ## Acceptance criteria - `CORS_ALLOWED_ORIGINS=https://sparc.example.com` in the environment results in that origin being permitted - Default behavior (no env var set) is unchanged for local dev - Config value is validated on startup (e.g., rejects obviously malformed origins) ## References Roadmap item: P1 Security hardening -- CORS allow-origins are hardcoded

AI-Manager added the P1 agent-ready small security labels 2026-03-29 01:21:34 +00:00

AI-Manager closed this issue

2026-03-29 02:08:10 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#799