Add CORS and TrustedHost Middleware to FastAPI app

google-labs-jules[bot] · lgcorzo · google-labs-jules[bot] · commit a844db96d7bc · 2026-02-12T20:46:44.000Z
- Configure `TrustedHostMiddleware` with `ALLOWED_HOSTS`.
- Configure `CORSMiddleware` with `ALLOWED_ORIGINS`.
- Ensure `allow_credentials=False` if `ALLOWED_ORIGINS` is `*`.
- Add test case verifying middleware presence.

Co-authored-by: lgcorzo &lt;46710567+lgcorzo@users.noreply.github.com&gt;
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -12,3 +12,8 @@
 **Vulnerability:** The application was catching exceptions in logic callbacks and Kafka consumers, then assigning the raw exception string to a JSON `error` field in the successful response object. This leaked internal details even when the HTTP status code was 200 OK or when processing asynchronously via Kafka.
 **Learning:** Checking for HTTP 500 handlers is not enough. Review application-level error handling where business logic manually constructs error objects.
 **Prevention:** Ensure that any `result["error"]` or similar fields populated in catch blocks use generic messages, while the real exception is logged server-side.
+
+## 2026-06-18 - Insecure Default CORS Configuration
+**Vulnerability:** The application was missing explicit CORS and TrustedHost middleware, potentially exposing it to Host Header Injection and unauthorized cross-origin access.
+**Learning:** Defaulting to `allow_credentials=True` with `allow_origins=["*"]` is a common mistake that browsers reject. Safe defaults must ensure credentials are disabled if wildcard origins are used.
+**Prevention:** Implement conditional logic to force `allow_credentials=False` when `ALLOWED_ORIGINS` contains `*`, ensuring the application remains functional and spec-compliant by default.
diff --git a/src/regression_model_template/controller/kafka_app.py b/src/regression_model_template/controller/kafka_app.py
@@ -12,6 +12,8 @@
 import uvicorn
 import pandas as pd
 from fastapi import FastAPI, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
 from pydantic import BaseModel
 
 from confluent_kafka import Producer, Consumer, KafkaError, Message
@@ -43,6 +45,27 @@
     version="1.0.0",
 )
 
+# Security Enhancements
+ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")
+ALLOWED_ORIGINS = os.getenv("ALLOWED_ORIGINS", "*").split(",")
+
+app.add_middleware(
+    TrustedHostMiddleware, allowed_hosts=ALLOWED_HOSTS
+)
+
+# Browsers reject CORS if origins is '*' and credentials=True
+allow_credentials = True
+if "*" in ALLOWED_ORIGINS:
+    allow_credentials = False
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=ALLOWED_ORIGINS,
+    allow_credentials=allow_credentials,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
 
 # Data Models
 class PredictionRequest(BaseModel):
diff --git a/tests/controller/test_kafka_app_middleware.py b/tests/controller/test_kafka_app_middleware.py
@@ -0,0 +1,8 @@
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
+from regression_model_template.controller.kafka_app import app
+
+def test_middleware_configuration():
+    middleware_types = [m.cls for m in app.user_middleware]
+    assert TrustedHostMiddleware in middleware_types, "TrustedHostMiddleware missing"
+    assert CORSMiddleware in middleware_types, "CORSMiddleware missing"
