From afbb4b29dc8bbe8f8d5201d6faa4a81b9e040712 Mon Sep 17 00:00:00 2001 From: Manuel Raynaud Date: Wed, 11 Jun 2025 11:55:28 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9(backend)=20default=20CORS=5FALLOW?= =?UTF-8?q?=5FALL=5FORIGINS=20to=20False?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The settings CORS_ALLOW_ALL_ORIGINS was set to True by default. This error is inherited from a old mistake made back in the days while working on the initial impress demo. This is not something we want, this should be only allowed in development. We change the value in all the manifests in order to have the desired behavior in non development environments. --- docs/env.md | 2 +- src/backend/impress/settings.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/env.md b/docs/env.md index a41d7ef9..f9cd154c 100644 --- a/docs/env.md +++ b/docs/env.md @@ -40,7 +40,7 @@ These are the environment variables you can set for the `impress-backend` contai | DJANGO_EMAIL_USE_TLS | use tls for email host connection | false | | DJANGO_EMAIL_USE_SSL | use sstl for email host connection | false | | DJANGO_EMAIL_FROM | email address used as sender | from@example.com | -| DJANGO_CORS_ALLOW_ALL_ORIGINS | allow all CORS origins | true | +| DJANGO_CORS_ALLOW_ALL_ORIGINS | allow all CORS origins | false | | DJANGO_CORS_ALLOWED_ORIGINS | list of origins allowed for CORS | [] | | DJANGO_CORS_ALLOWED_ORIGIN_REGEXES | list of origins allowed for CORS using regulair expressions | [] | | SENTRY_DSN | sentry host | | diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py index 737bb338..05d89443 100755 --- a/src/backend/impress/settings.py +++ b/src/backend/impress/settings.py @@ -396,7 +396,7 @@ class Base(Configuration): # CORS CORS_ALLOW_CREDENTIALS = True - CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(True) + CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(False) CORS_ALLOWED_ORIGINS = values.ListValue([]) CORS_ALLOWED_ORIGIN_REGEXES = values.ListValue([])