Allow private-network CORS origins in development
This commit is contained in:
@@ -65,6 +65,7 @@ Use `.env.example` as baseline. The table below documents user-managed settings
|
||||
| `VITE_API_BASE` | empty for host-derived `http://<frontend-host>:8000/api/v1`, or explicit local URL | `https://api.example.com/api/v1` |
|
||||
| `CORS_ORIGINS` | `["http://localhost:5173","http://localhost:3000"]` | exact frontend origins only, for example `["https://app.example.com"]` |
|
||||
| `CORS_ALLOW_CREDENTIALS` | `false` | `false` (Authorization header flow does not need credentialed CORS) |
|
||||
| `CORS_ALLOW_DEVELOPMENT_PRIVATE_NETWORK_ORIGINS` | `true` to allow LAN origins such as `http://192.168.x.x:5173` during dev | `false` |
|
||||
| `REDIS_URL` | `redis://:<password>@redis:6379/0` in isolated local network | `rediss://:<password>@redis.internal:6379/0` |
|
||||
| `REDIS_SECURITY_MODE` | `compat` or `auto` | `strict` |
|
||||
| `REDIS_TLS_MODE` | `allow_insecure` or `auto` | `required` |
|
||||
@@ -93,6 +94,7 @@ Recommended LIVE pattern:
|
||||
## Security Controls
|
||||
|
||||
- CORS uses explicit origin allowlist only; broad origin regex matching is removed.
|
||||
- Development mode can additionally allow private-network HTTP(S) origins when `CORS_ALLOW_DEVELOPMENT_PRIVATE_NETWORK_ORIGINS=true`.
|
||||
- Worker Redis startup validates URL auth and TLS policy before consuming jobs.
|
||||
- Provider API keys are encrypted at rest with standard AEAD (`cryptography` Fernet).
|
||||
- legacy `enc-v1` payloads are read for backward compatibility
|
||||
|
||||
Reference in New Issue
Block a user