Skip to content

CORS origins hardcoded for specific deployments, breaks flexibility for multiple environments #102

Description

@anshul23102

Description

The CORS configuration in app/main.py hardcodes specific deployment domains (lines 65-69) including 'https://enterpriserag-ai.vercel.app'. This makes the application inflexible for different environments like staging, testing, or custom deployments. Each new environment requires code changes and redeployment. The hardcoded production URL also prevents local development if the domain changes.

Steps to Reproduce

  1. Try to access the API from a different domain than the hardcoded ones
  2. The browser blocks the request due to CORS
  3. To support a new environment, code changes are required
  4. The hardcoded production URL binds the code to one specific deployment

Environment Information

  • EnterpriseRAG-AI backend, FastAPI
  • Affected file: app/main.py, lines 65-69
  • CORS middleware configuration

Expected Behavior

CORS origins should be loaded from environment configuration, allowing different domains per environment without code changes. Separate config for dev, staging, and production.

Actual Behavior

Lines 65-69 hardcode allowed origins:
'http://localhost:5173'
'http://127.0.0.1:5173'
'https://enterpriserag-ai.vercel.app'
No environment-based flexibility.

Code Reference

File: app/main.py
Lines: 65-69
Problematic code: allow_origins=[ hardcoded list of domains ]

Additional Context

Severity: Medium. Hardcoded configuration reduces deployment flexibility. Each new environment requires code modification and redeployment, increasing complexity and risk. Suggested fix: Load CORS origins from environment variable CORS_ORIGINS or use config file.

Suggested Labels

configuration, deployment, cors


Program Template

  • GSSoC

Metadata

Metadata

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions