Description
The CORS configuration in app/main.py hardcodes specific deployment domains (lines 65-69) including 'https://enterpriserag-ai.vercel.app'. This makes the application inflexible for different environments like staging, testing, or custom deployments. Each new environment requires code changes and redeployment. The hardcoded production URL also prevents local development if the domain changes.
Steps to Reproduce
- Try to access the API from a different domain than the hardcoded ones
- The browser blocks the request due to CORS
- To support a new environment, code changes are required
- The hardcoded production URL binds the code to one specific deployment
Environment Information
- EnterpriseRAG-AI backend, FastAPI
- Affected file: app/main.py, lines 65-69
- CORS middleware configuration
Expected Behavior
CORS origins should be loaded from environment configuration, allowing different domains per environment without code changes. Separate config for dev, staging, and production.
Actual Behavior
Lines 65-69 hardcode allowed origins:
'http://localhost:5173'
'http://127.0.0.1:5173'
'https://enterpriserag-ai.vercel.app'
No environment-based flexibility.
Code Reference
File: app/main.py
Lines: 65-69
Problematic code: allow_origins=[ hardcoded list of domains ]
Additional Context
Severity: Medium. Hardcoded configuration reduces deployment flexibility. Each new environment requires code modification and redeployment, increasing complexity and risk. Suggested fix: Load CORS origins from environment variable CORS_ORIGINS or use config file.
Suggested Labels
configuration, deployment, cors
Program Template
Description
The CORS configuration in app/main.py hardcodes specific deployment domains (lines 65-69) including 'https://enterpriserag-ai.vercel.app'. This makes the application inflexible for different environments like staging, testing, or custom deployments. Each new environment requires code changes and redeployment. The hardcoded production URL also prevents local development if the domain changes.
Steps to Reproduce
Environment Information
Expected Behavior
CORS origins should be loaded from environment configuration, allowing different domains per environment without code changes. Separate config for dev, staging, and production.
Actual Behavior
Lines 65-69 hardcode allowed origins:
'http://localhost:5173'
'http://127.0.0.1:5173'
'https://enterpriserag-ai.vercel.app'
No environment-based flexibility.
Code Reference
File: app/main.py
Lines: 65-69
Problematic code: allow_origins=[ hardcoded list of domains ]
Additional Context
Severity: Medium. Hardcoded configuration reduces deployment flexibility. Each new environment requires code modification and redeployment, increasing complexity and risk. Suggested fix: Load CORS origins from environment variable CORS_ORIGINS or use config file.
Suggested Labels
configuration, deployment, cors
Program Template