Summary
Both standalone servers configure CORS with allow_origins=["*"], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"].
Affected Code
# server/key-server/app/main.py:86-92
# server/telemetry-server/app/main.py:23-29
app.add_middleware(
CORSMiddleware,
allow_origins=settings.cors_origins, # defaults to ["*"]
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
The docker-compose file (openssl_encrypt_server/docker-compose.yml:75) also defaults CORS_ORIGINS to *, and .env.example ships with CORS_ORIGINS=*.
Impact
This is the most permissive CORS configuration possible, allowing any website to make fully credentialed cross-origin requests to the API. An attacker's website could make authenticated API calls on behalf of any user who visits it.
Recommended Fix
- Remove wildcard defaults — require explicit origin configuration
- Never combine
allow_origins=["*"] with allow_credentials=True
- Update
.env.example with placeholder domains instead of *
Fix
Fixed in commit 809416b on branch releases/1.4.x — changed CORS default from ["*"] to [] in both key-server and telemetry-server; added validation rejecting wildcard when debug=False.
References
Summary
Both standalone servers configure CORS with
allow_origins=["*"],allow_credentials=True,allow_methods=["*"], andallow_headers=["*"].Affected Code
The docker-compose file (
openssl_encrypt_server/docker-compose.yml:75) also defaultsCORS_ORIGINSto*, and.env.exampleships withCORS_ORIGINS=*.Impact
This is the most permissive CORS configuration possible, allowing any website to make fully credentialed cross-origin requests to the API. An attacker's website could make authenticated API calls on behalf of any user who visits it.
Recommended Fix
allow_origins=["*"]withallow_credentials=True.env.examplewith placeholder domains instead of*Fix
Fixed in commit
809416bon branchreleases/1.4.x— changed CORS default from ["*"] to [] in both key-server and telemetry-server; added validation rejecting wildcard when debug=False.References