search

Chainlit / chainlit

Build Conversational AI in minutes ⚡️
https://docs.chainlit.io
Apache License 2.0
6.86k stars 903 forks source link

Security: allowed origins should not be * by default #1359

Open dokterbob opened 1 week ago

dokterbob commented 1 week ago

CORS headers should be restricted to the current domain at least, by default.

dokterbob commented 5 days ago

@dosu Where do we have to look in the settings/code to set this to a sensible/safe default value?

dosubot[bot] commented 5 days ago

To set the allowed origins for CORS headers to a sensible/safe default value, you need to look at the allow_origins setting in the config.toml file.

# Authorized origins
allow_origins = ["*"]

You should replace ["*"] with a list of specific origins that you want to allow. For example:

# Authorized origins
allow_origins = ["https://example.com", "https://anotherdomain.com"]

This setting can be found in multiple config.toml files within the repository, such as:

Additionally, the allow_origins setting can be overridden by the CHAINLIT_ALLOW_ORIGINS environment variable [6].

To continue talking to Dosu, mention @dosu.

dokterbob commented 5 days ago

@dosu Maybe we could make the default in the settings file 127.0.0.1 and localhost, then document users to change it for production to whatever website/domain they use?

dosubot[bot] commented 5 days ago

Yes, you can set the default allowed origins in the settings file to 127.0.0.1 and localhost, and then document for users to change it for production to their specific domains. You can modify the config.toml file as follows:

[project]
# Authorized origins
allow_origins = ["127.0.0.1", "localhost"]

This change can be made in the config.toml files located in various directories, such as:

Additionally, you should document this change and instruct users to update the allow_origins setting for their production environments to their specific domains.

To continue talking to Dosu, mention @dosu.