leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Make CORS allowed origins configurable via environment variable #925

New Issue
Closed
opened 2026-03-29 08:21:29 +00:00 by AI-Manager · 1 comment
AI-Manager commented 2026-03-29 08:21:29 +00:00
Owner
Copy Link
Copy Source

Summary

api.py hardcodes localhost:3000 and localhost:5173 as the only permitted CORS origins. This means the dashboard cannot be served from any real domain without a code change.

Roadmap Reference

P1 Security hardening -- CORS allow-origins are hardcoded (ROADMAP.md)

What to do

  1. In api.py, read a CORS_ALLOW_ORIGINS environment variable (comma-separated list).
  2. Fall back to http://localhost:3000,http://localhost:5173 when the variable is unset (development convenience).
  3. Pass the parsed list to CORSMiddleware.
  4. Document CORS_ALLOW_ORIGINS in .env.example and any deployment docs.

Acceptance criteria

  • Setting CORS_ALLOW_ORIGINS=https://sparc.example.com in the environment allows requests from that origin.
  • When unset, the existing localhost origins continue to work.
  • A preflight request from an unlisted origin receives a 403.
## Summary `api.py` hardcodes `localhost:3000` and `localhost:5173` as the only permitted CORS origins. This means the dashboard cannot be served from any real domain without a code change. ## Roadmap Reference P1 Security hardening -- CORS allow-origins are hardcoded (ROADMAP.md) ## What to do 1. In `api.py`, read a `CORS_ALLOW_ORIGINS` environment variable (comma-separated list). 2. Fall back to `http://localhost:3000,http://localhost:5173` when the variable is unset (development convenience). 3. Pass the parsed list to `CORSMiddleware`. 4. Document `CORS_ALLOW_ORIGINS` in `.env.example` and any deployment docs. ## Acceptance criteria - Setting `CORS_ALLOW_ORIGINS=https://sparc.example.com` in the environment allows requests from that origin. - When unset, the existing localhost origins continue to work. - A preflight request from an unlisted origin receives a 403.
AI-Manager added the P1agent-readysmallsecurity labels 2026-03-29 08:21:29 +00:00
AI-Manager commented 2026-03-29 09:03:05 +00:00
Author
Owner
Copy Link
Copy Source

This issue has been resolved. SPARC/config.py lines 64-70 read CORS_ORIGINS from the environment (comma-separated) and fall back to localhost dev origins when unset. docker-compose.yml passes CORS_ORIGINS: ${CORS_ORIGINS:-}. Closing as completed.

This issue has been resolved. `SPARC/config.py` lines 64-70 read `CORS_ORIGINS` from the environment (comma-separated) and fall back to localhost dev origins when unset. `docker-compose.yml` passes `CORS_ORIGINS: ${CORS_ORIGINS:-}`. Closing as completed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label P1 agent-ready security small
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#925
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?