From 43db97aeaa0c219255cf5dab17912e6ff87e3099 Mon Sep 17 00:00:00 2001 From: yiekheng Date: Sat, 2 May 2026 21:27:06 +0800 Subject: [PATCH] fix(api): drop flask_cors from cm_api (CORS-A defense-in-depth) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit api-server is internal-only after C5 (no host port in prod compose), so the permissive 'CORS(app)' default never fires in normal operation. Removing it eliminates a stale '*' Access-Control-Allow-Origin that would become attack surface if a host port were ever accidentally re-exposed. Server-side fetches from web-view (legacy Flask) and web-next (Next.js RSC) don't trigger CORS — that's a browser-only mechanism. flask_cors stays in requirements.txt because cm_web_view.py still imports it; both get removed in B4 when the legacy web-view retires. --- app/cm_api.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/cm_api.py b/app/cm_api.py index 5c01e93..a9a24a6 100644 --- a/app/cm_api.py +++ b/app/cm_api.py @@ -1,7 +1,6 @@ import os import threading from flask import Flask, jsonify, request -from flask_cors import CORS from .db import DB @@ -19,7 +18,12 @@ class CM_API: def __init__(self): self.app = Flask(__name__) - CORS(self.app) + # No CORS middleware: api-server is internal-only (no host port + # in prod compose, per C5). Browsers can't reach it directly, + # and server-side fetches from web-view / web-next don't trigger + # CORS. Removing flask_cors removes a permissive '*' origin + # default that becomes an attack surface if a host port is ever + # accidentally re-exposed. self._register_routes() def _get_database_connection(self):