Skip to content
Snippets Groups Projects
Commit 3b2ed5aa authored by florimondmanca's avatar florimondmanca
Browse files

restrict CORS to whitelisted hosts

parent fc85474c
Branches
No related tags found
No related merge requests found
......@@ -116,7 +116,17 @@ REST_FRAMEWORK = {
}
# Security
CORS_ORIGIN_ALLOW_ALL = True
CORS_ORIGIN_REGEX_WHITELIST = (
# Allow local hosts on any port
r'^(https?://)?localhost(:\d+)?$',
r'^(https?://)?127\.0\.0\.1(:\d+)?$',
# Allow hosts such as:
# - https://oser-cs.herokuapp.com
# - https://oser-frontend-dev.herokuapp.com
# (but also https://unknown.herokuapp.com...)
# Essentially allows any frontend hosted on Heroku to send CORS requests.
r'^(https?://)?(.+\.)?herokuapp\.com$'
)
X_FRAME_OPTIONS = 'DENY' # refuse to serve in an <iframe>
# Pymdown-extensions Emoji configuration
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment