fix(api): drop flask_cors from cm_api (CORS-A defense-in-depth)
api-server is internal-only after C5 (no host port in prod compose), so the permissive 'CORS(app)' default never fires in normal operation. Removing it eliminates a stale '*' Access-Control-Allow-Origin that would become attack surface if a host port were ever accidentally re-exposed. Server-side fetches from web-view (legacy Flask) and web-next (Next.js RSC) don't trigger CORS — that's a browser-only mechanism. flask_cors stays in requirements.txt because cm_web_view.py still imports it; both get removed in B4 when the legacy web-view retires.
This commit is contained in:
parent
3bfd35ef8d
commit
43db97aeaa
@ -1,7 +1,6 @@
|
|||||||
import os
|
import os
|
||||||
import threading
|
import threading
|
||||||
from flask import Flask, jsonify, request
|
from flask import Flask, jsonify, request
|
||||||
from flask_cors import CORS
|
|
||||||
from .db import DB
|
from .db import DB
|
||||||
|
|
||||||
|
|
||||||
@ -19,7 +18,12 @@ class CM_API:
|
|||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.app = Flask(__name__)
|
self.app = Flask(__name__)
|
||||||
CORS(self.app)
|
# No CORS middleware: api-server is internal-only (no host port
|
||||||
|
# in prod compose, per C5). Browsers can't reach it directly,
|
||||||
|
# and server-side fetches from web-view / web-next don't trigger
|
||||||
|
# CORS. Removing flask_cors removes a permissive '*' origin
|
||||||
|
# default that becomes an attack surface if a host port is ever
|
||||||
|
# accidentally re-exposed.
|
||||||
self._register_routes()
|
self._register_routes()
|
||||||
|
|
||||||
def _get_database_connection(self):
|
def _get_database_connection(self):
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user