Description
The FastAPI application uses allow_origins=["*"], which permits requests from any domain. When combined with allow_credentials=True, this violates the CORS specification and exposes the API to cross-site request forgery (CSRF) attacks.
Location
backend/app.py:
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True, # invalid with wildcard origin
allow_methods=["*"],
allow_headers=["*"],
)Impact
Malicious websites can make credentialed requests to the API on behalf of logged-in users. Browsers actually reject allow_credentials=True with a wildcard origin per the CORS spec, which may also cause CORS failures for legitimate clients.
Recommendation
Restrict allow_origins to an explicit list of trusted frontend domains:
allow_origins=[
"https://advocateai.example.com",
"http://localhost:8080", # development only
],
allow_credentials=True,Severity
High
Description
The FastAPI application uses
allow_origins=["*"], which permits requests from any domain. When combined withallow_credentials=True, this violates the CORS specification and exposes the API to cross-site request forgery (CSRF) attacks.Location
backend/app.py:Impact
Malicious websites can make credentialed requests to the API on behalf of logged-in users. Browsers actually reject
allow_credentials=Truewith a wildcard origin per the CORS spec, which may also cause CORS failures for legitimate clients.Recommendation
Restrict
allow_originsto an explicit list of trusted frontend domains:Severity
High