Skip to content

Tighten CORS: wildcard origins + allow_credentials #48

Description

@tschm

Subcategory: Dependency & security hygiene (and security posture)
Score: 8 → 10 (target)

src/pycharting/core/server.py:126 configures CORS with a permissive combination:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],       # wildcard
    allow_credentials=True,    # + credentials
    allow_methods=["*"],
    allow_headers=["*"],
)

Wildcard origins together with allow_credentials=True is the insecure CORS pairing (the code comment already notes "In production, specify exact origins"). Risk is mitigated because the server binds to 127.0.0.1, but the config should not ship permissive.

Suggested fix: enumerate explicit localhost origins (the actual server host:port), or drop allow_credentials since none are needed for this local tool.

Done when: CORS no longer pairs wildcard origins with allow_credentials=True.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions