Skip to content

Make CORS allow_credentials configurable instead of hardcoded True#62658

Open
Vamsi-klu wants to merge 1 commit intoapache:mainfrom
Vamsi-klu:fix/m3-cors-credentials-configurable
Open

Make CORS allow_credentials configurable instead of hardcoded True#62658
Vamsi-klu wants to merge 1 commit intoapache:mainfrom
Vamsi-klu:fix/m3-cors-credentials-configurable

Conversation

@Vamsi-klu
Copy link
Contributor

@Vamsi-klu Vamsi-klu commented Mar 1, 2026
edited
Loading

Summary

  • Replace hardcoded allow_credentials=True in CORSMiddleware with configurable [api] access_control_allow_credentials option (default: False)
  • Log a warning when allow_credentials=True is used with wildcard (*) origins, as this creates CSRF risk
  • Add config option to config.yml template

Co-contributors : @codingrealitylabs @girlcoder-gaming

Test plan

  • Verify default behavior: allow_credentials=False when option not set
  • Verify setting access_control_allow_credentials = True enables credentials
  • Verify warning is logged when credentials + wildcard origins are configured
  • Run pytest tests/api_fastapi/core_api/test_app.py -v

Note: This is a breaking change for deployments that rely on CORS credentials being enabled by default.

🤖 Generated with Claude Code

@Vamsi-klu Vamsi-klu marked this pull request as ready for review March 1, 2026 07:36
@Vamsi-klu
Copy link
Contributor Author

Vamsi-klu commented Mar 1, 2026

cc @kaxil @vincbeck @ashb — Would appreciate your review. This replaces the hardcoded allow_credentials=True in CORSMiddleware with a configurable option (default: False). Note this is a breaking change for deployments relying on CORS credentials being enabled by default.

@Vamsi-klu @claude
Make CORS allow_credentials configurable instead of hardcoded True
c58535f 
Add [api] access_control_allow_credentials config option (default: False)
to replace the hardcoded allow_credentials=True in CORSMiddleware. Also
log a warning when credentials are enabled with wildcard origins, as
this creates CSRF risk.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Vamsi-klu Vamsi-klu force-pushed the fix/m3-cors-credentials-configurable branch from a67a3b9 to c58535f Compare March 1, 2026 17:48
vincbeck
vincbeck requested changes Mar 2, 2026
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI generated PR with no explanation on why doing this change. Plus, it introduces a breaking change. Please provide more details about this PR and why you want to make that change, otherwise I'll close it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck requested changes

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@choo121600 choo121600 Awaiting requested review from choo121600 choo121600 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vamsi-klu @vincbeck