🩹(backend) default CORS_ALLOW_ALL_ORIGINS to False

The settings CORS_ALLOW_ALL_ORIGINS was set to True by default. This error is inherited from a old mistake made back in the days while working on the initial impress demo. I wrongly configured the settings. This error was propagated when @sampaccoud copied impress code to kickstart LaSuite Meet. This is not something we want, this should be only allowed in development. We change the value in all the manifests in order to have the desired behavior in non development environments.
2025-06-10 15:47:45 +02:00
parent 9d516bf638
commit f9614fc108
2 changed files with 6 additions and 6 deletions
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -250,7 +250,7 @@ You can use Visio on https://meet.127.0.0.1.nip.io from the local device. The pr
 These are the environmental options available on meet backend.

 | Option                                          | Description                              | default                                                                                                                                                       |
-| ----------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ----------------------------------------------- | ---------------------------------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | DATA_DIR                                        | Data directory location                  | /data                                                                                                                                                         |
 | DJANGO_ALLOWED_HOSTS                            | Hosts that are allowed                   | []                                                                                                                                                            |
 | DJANGO_SECRET_KEY                               | Secret key used for Django security      |                                                                                                                                                               |
@@ -270,7 +270,7 @@ These are the environmental options available on meet backend.
 | AWS_STORAGE_BUCKET_NAME                         | S3 bucket name                           | meet-media-storage                                                                                                                                            |
 | DJANGO_LANGUAGE_CODE                            | Default language                         | en-us                                                                                                                                                         |
 | REDIS_URL                                       | Redis endpoint                           | redis://redis:6379/1                                                                                                                                          |
-| SESSION_COOKIE_AGE                              | Session cookie expiration in seconds     | 43200 (12 hours)                                                                                                                                             |
+| SESSION_COOKIE_AGE                              | Session cookie expiration in seconds     | 43200 (12 hours)                                                                                                                                              |
 | REQUEST_ENTRY_THROTTLE_RATES                    | Entry request throttle rates             | 150/minute                                                                                                                                                    |
 | CREATION_CALLBACK_THROTTLE_RATES                | Creation callback throttle rates         | 600/minute                                                                                                                                                    |
 | SPECTACULAR_SETTINGS_ENABLE_DJANGO_DEPLOY_CHECK | Enable Django deploy check               | false                                                                                                                                                         |
@@ -293,7 +293,7 @@ These are the environmental options available on meet backend.
 | EMAIL_LOGO_IMG                                  | Email logo image                         |                                                                                                                                                               |
 | EMAIL_DOMAIN                                    | Email domain                             |                                                                                                                                                               |
 | EMAIL_APP_BASE_URL                              | Email app base URL                       |                                                                                                                                                               |
-| DJANGO_CORS_ALLOW_ALL_ORIGINS                   | Allow all CORS origins                   | true                                                                                                                                                          |
+| DJANGO_CORS_ALLOW_ALL_ORIGINS                   | Allow all CORS origins                   | false                                                                                                                                                         |
 | DJANGO_CORS_ALLOWED_ORIGINS                     | Origins to allow (string list)           | []                                                                                                                                                            |
 | DJANGO_CORS_ALLOWED_ORIGIN_REGEXES              | Origins to allow (regex patterns)        | []                                                                                                                                                            |
 | SENTRY_DSN                                      | Sentry server DSN                        |                                                                                                                                                               |
@@ -351,10 +351,10 @@ These are the environmental options available on meet backend.
 | LOBBY_KEY_PREFIX                                | Lobby key prefix                         | room_lobby                                                                                                                                                    |
 | LOBBY_WAITING_TIMEOUT                           | Lobby waiting timeout in seconds         | 3                                                                                                                                                             |
 | LOBBY_DENIED_TIMEOUT                            | Lobby deny timeout in seconds            | 5                                                                                                                                                             |
-| LOBBY_ACCEPTED_TIMEOUT                          | Lobby accept timeout in seconds          | 21600 (6 hours)                                                                                                                                              |
+| LOBBY_ACCEPTED_TIMEOUT                          | Lobby accept timeout in seconds          | 21600 (6 hours)                                                                                                                                               |
 | LOBBY_NOTIFICATION_TYPE                         | Lobby notification types                 | participantWaiting                                                                                                                                            |
 | LOBBY_COOKIE_NAME                               | Lobby cookie name                        | lobbyParticipantId                                                                                                                                            |
-| ROOM_CREATION_CALLBACK_CACHE_TIMEOUT            | Room creation callback cache timeout     | 600 (10 minutes)                                                                                                                                             |
+| ROOM_CREATION_CALLBACK_CACHE_TIMEOUT            | Room creation callback cache timeout     | 600 (10 minutes)                                                                                                                                              |
 | ROOM_TELEPHONY_ENABLED                          | Enable SIP telephony feature             | false                                                                                                                                                         |
 | ROOM_TELEPHONY_PIN_LENGTH                       | Telephony PIN length                     | 10                                                                                                                                                            |
 | ROOM_TELEPHONY_PIN_MAX_RETRIES                  | Telephony PIN maximum retries            | 5                                                                                                                                                             |
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -340,7 +340,7 @@ class Base(Configuration):

    # CORS
    CORS_ALLOW_CREDENTIALS = True
-    CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(True)
+    CORS_ALLOW_ALL_ORIGINS = values.BooleanValue(False)
    CORS_ALLOWED_ORIGINS = values.ListValue([])
    CORS_ALLOWED_ORIGIN_REGEXES = values.ListValue([])