Problem
main.py configures CORS with allow_origins=["*"], opening the API to cross-origin requests from any browser origin. While API-key authentication reduces the risk compared to cookie-authenticated APIs, wildcard CORS is still unnecessarily permissive for what appears to be a private/internal service (per license_info: Proprietary).
Impact
- Any browser-side script on any domain can make cross-origin preflight and authenticated requests
- If the API key is ever exposed client-side, CORS provides no additional barrier
Fix
Restrict allow_origins to the set of known consumer origins. If the consumer origins are not known at deploy time, make ALLOWED_ORIGINS a configurable env var (comma-separated list, defaulting to a restrictive set).
If public browser access is genuinely required, document the rationale in main.py alongside the setting.
Source
AR finding #6 (architectural review 2026-03-18).
Problem
main.pyconfigures CORS withallow_origins=["*"], opening the API to cross-origin requests from any browser origin. While API-key authentication reduces the risk compared to cookie-authenticated APIs, wildcard CORS is still unnecessarily permissive for what appears to be a private/internal service (perlicense_info: Proprietary).Impact
Fix
Restrict
allow_originsto the set of known consumer origins. If the consumer origins are not known at deploy time, makeALLOWED_ORIGINSa configurable env var (comma-separated list, defaulting to a restrictive set).If public browser access is genuinely required, document the rationale in
main.pyalongside the setting.Source
AR finding #6 (architectural review 2026-03-18).