Make CORS allow_credentials configurable instead of hardcoded True

Add [api] access_control_allow_credentials config option (default: False)
to replace the hardcoded allow_credentials=True in CORSMiddleware. Also
log a warning when credentials are enabled with wildcard origins, as
this creates CSRF risk.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Vamsi-klu

airflow/api_fastapi/core_api/app.py

@@ -147,12 +147,18 @@ def init_config(app: FastAPI) -> None:
     allow_origins = conf.getlist("api", "access_control_allow_origins")
     allow_methods = conf.getlist("api", "access_control_allow_methods")
     allow_headers = conf.getlist("api", "access_control_allow_headers")
+    allow_credentials = conf.getboolean("api", "access_control_allow_credentials", fallback=False)
 
     if allow_origins or allow_methods or allow_headers:
+        if allow_credentials and "*" in allow_origins:
+            log.warning(
+                "CORS allow_credentials is True with wildcard (*) in allow_origins. "
+                "This is a security risk. Consider specifying explicit origins."
+            )
         app.add_middleware(
             CORSMiddleware,
             allow_origins=allow_origins,
-            allow_credentials=True,
+            allow_credentials=allow_credentials,
             allow_methods=allow_methods,
             allow_headers=allow_headers,
         )

airflow/config_templates/config.yml

@@ -1434,6 +1434,16 @@ api:
       version_added: 2.2.0
       example: ~
       default: ""
+    access_control_allow_credentials:
+      description: |
+        Indicates whether the response to the request can be exposed when the credentials flag is true.
+        When used as part of a response to a preflight request, this indicates whether or not the
+        actual request can be made using credentials. Setting this to True with a wildcard (*) in
+        access_control_allow_origins is a security risk.
+      type: boolean
+      version_added: 3.0.0
+      example: ~
+      default: "False"
     enable_xcom_deserialize_support:
       description: |
         Indicates whether the **xcomEntries** endpoint supports the **deserialize**