Skip to content

fix: implement CORS security to prevent unauthorized cross-origin requests #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 15, 2025
Merged

fix: implement CORS security to prevent unauthorized cross-origin requests #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
eff670a
fix: implement CORS security to prevent unauthorized cross-origin req…
claude[bot] Aug 7, 2025
2380c28
fix: correct import order in app.py to comply with linting standards
claude[bot] Aug 7, 2025
7b2a8a1
fix merge conflicts
yangm2 Aug 15, 2025
7d7aba6
fix merge conflicts again
yangm2 Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions backend/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,11 @@ version = "0.2.0"
requires-python = ">=3.12"
dependencies = [
"flask>=3.1.1",
"flask-mailman",
"Flask_Limiter",
"xhtml2pdf",
"redis",
"flask-mailman>=1.1.1",
"Flask_Limiter>=3.12",
"xhtml2pdf>=0.2.17",
"redis>=6.4.0",
"flask-cors>=4.0.0",
"valkey>=6.1.0",
"gunicorn>=23.0.0",
"google-auth>=2.40.3",
Expand Down
19 changes: 19 additions & 0 deletions backend/tenantfirstaid/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
from flask_mailman import Mail
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from flask_cors import CORS
import os
import secrets

Expand Down Expand Up @@ -38,6 +39,24 @@ def build_valkey_uri():
app=app,
storage_uri=build_valkey_uri(),
)
# Configure CORS with strict origin validation
ALLOWED_ORIGINS = [
"https://tenantfirstaid.com",
"https://www.tenantfirstaid.com",
]

# Add localhost origins for development
if os.getenv("ENV", "dev") == "dev":
ALLOWED_ORIGINS.extend(
[
"http://localhost:3000",
"http://127.0.0.1:3000",
"http://localhost:5173", # Vite default
"http://127.0.0.1:5173",
]
)

CORS(app, origins=ALLOWED_ORIGINS, supports_credentials=True)

# Configure Flask sessions
app.secret_key = os.getenv("FLASK_SECRET_KEY", secrets.token_hex(32))
Expand Down
Loading