Subcategory: Dependency & security hygiene (and security posture)
Score: 8 → 10 (target)
src/pycharting/core/server.py:126 configures CORS with a permissive combination:
app.add_middleware(
CORSMiddleware,
allow_origins=["*"], # wildcard
allow_credentials=True, # + credentials
allow_methods=["*"],
allow_headers=["*"],
)
Wildcard origins together with allow_credentials=True is the insecure CORS pairing (the code comment already notes "In production, specify exact origins"). Risk is mitigated because the server binds to 127.0.0.1, but the config should not ship permissive.
Suggested fix: enumerate explicit localhost origins (the actual server host:port), or drop allow_credentials since none are needed for this local tool.
Done when: CORS no longer pairs wildcard origins with allow_credentials=True.
Subcategory: Dependency & security hygiene (and security posture)
Score: 8 → 10 (target)
src/pycharting/core/server.py:126configures CORS with a permissive combination:Wildcard origins together with
allow_credentials=Trueis the insecure CORS pairing (the code comment already notes "In production, specify exact origins"). Risk is mitigated because the server binds to127.0.0.1, but the config should not ship permissive.Suggested fix: enumerate explicit localhost origins (the actual server host:port), or drop
allow_credentialssince none are needed for this local tool.Done when: CORS no longer pairs wildcard origins with
allow_credentials=True.