MCP/mcpmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use environment variable for CORS domain configuration

Browse Source 
- Replace hardcoded domain with DOMAIN environment variable
- Automatically configure CORS origins based on deployment environment
- Remove localhost origins in production for enhanced security
- Update security documentation to reflect environment-driven config
- Maintains consistency with existing docker-compose.yml patterns
This commit is contained in:
Ryan Malloy 2025-09-17 20:14:33 -06:00
parent 8e3cee4f18
commit 72e688e58c
2 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
SECURITY.md
View File

@ -34,13 +34,15 @@ This application requires environment variables for configuration. **Never commi
### Production Deployment Security
#### CORS Configuration
The application includes security-hardened CORS configuration. Update the `allowed_origins` list in `src/mcpmc/main.py` to include only your trusted domains:
The application automatically configures CORS origins based on your `DOMAIN` environment variable:
```python
allowed_origins = [
"https://yourdomain.com",
"https://api.yourdomain.com",
]
- Development: Allows localhost origins for testing
- Production: Uses `https://{DOMAIN}` and `https://api.{DOMAIN}`
- Security: Automatically removes localhost origins in production environments
Set your `DOMAIN` environment variable to configure CORS automatically:
```bash
DOMAIN=mcpmc.yourdomain.com
```
#### SSL/TLS

11
src/mcpmc/main.py
View File

@ -34,12 +34,21 @@ app = FastAPI(
)
# Security-hardened CORS configuration for production
import os
# Build allowed origins from environment
domain = os.getenv('DOMAIN', 'localhost')
allowed_origins = [
"http://localhost:3000", # Development frontend
"http://localhost:8080", # Alternative dev port
"https://mcpmc.yourdomain.com", # Production domain (replace with actual)
f"https://{domain}", # Production frontend
f"https://api.{domain}", # Production API
]
# Remove localhost origins in production
if domain != 'localhost' and not domain.endswith('.local'):
allowed_origins = [origin for origin in allowed_origins if 'localhost' not in origin]
app.add_middleware(
CORSMiddleware,
allow_origins=allowed_origins, # Restricted to specific domains