I want to document and make room for a discussion here about the CORS configuration changes I made as part of #484.
Background
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins are allowed to make requests to a server. Previously, Balancer's backend accepted requests from any origin, which is a common default in development. However, it could present a security risk as the Balancer site grows, since it means any website could make authenticated API requests.
As part of my auth feature (#483) I've locked down CORS to an explicit allowlist via the CORS_ALLOWED_ORIGINS env variable. In dev, this is just localhost: 3000 but it needs to be set explicitly in prod.
What changed
settings.py now reads CORS_ALLOWED_ORIGINS from the environment and splits it into a list. If the variable is missing or wrong, no origins are allowed except localhost.
What needs to happen before deploying
Add CORS_ALLOWED_ORIGINS=https://balancerproject.org to the production environment config before or at the same time as the production deployment. If the app is ever served from additional domains or subdomains, those need to be included as a comma-separated list.
Before the next sandbox deployment, we need to add CORS_ALLOWED_ORIGINS=https://sandbox.balancertestsite.comto the env configs
Risk
If we miss adding the correct configs before deployment, the browser will block all API requests, effectively making the site break for everyone, authenticated or not.
Rollback
We can always just revert the CORS setting to allow all and it'll work again
@sahilds1 @taichan03 @TineoC
I want to document and make room for a discussion here about the CORS configuration changes I made as part of #484.
Background
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins are allowed to make requests to a server. Previously, Balancer's backend accepted requests from any origin, which is a common default in development. However, it could present a security risk as the Balancer site grows, since it means any website could make authenticated API requests.
As part of my auth feature (#483) I've locked down CORS to an explicit allowlist via the
CORS_ALLOWED_ORIGINSenv variable. In dev, this is justlocalhost: 3000but it needs to be set explicitly in prod.What changed
settings.pynow readsCORS_ALLOWED_ORIGINSfrom the environment and splits it into a list. If the variable is missing or wrong, no origins are allowed except localhost.What needs to happen before deploying
Add
CORS_ALLOWED_ORIGINS=https://balancerproject.orgto the production environment config before or at the same time as the production deployment. If the app is ever served from additional domains or subdomains, those need to be included as a comma-separated list.Before the next sandbox deployment, we need to add
CORS_ALLOWED_ORIGINS=https://sandbox.balancertestsite.comto the env configsRisk
If we miss adding the correct configs before deployment, the browser will block all API requests, effectively making the site break for everyone, authenticated or not.
Rollback
We can always just revert the CORS setting to allow all and it'll work again
@sahilds1 @taichan03 @TineoC