Restrict credentialed CORS headers

2026-06-01 10:54:08 +09:00
parent 7dd12fc3ad
commit 67f1675130
1 changed files with 11 additions and 1 deletions
--- a/app.py
+++ b/app.py
@@ -54,7 +54,17 @@ app.add_middleware(
    allow_origins=allowed_origins,
    allow_credentials=True,
    allow_methods=["GET", "POST", "PUT", "DELETE"],
-    allow_headers=["*"],
+    allow_headers=[
+        "Accept",
+        "Authorization",
+        "Content-Type",
+        "X-API-Key",
+        "X-Auth-Token",
+        "X-Odysseus-Internal-Token",
+        "X-Odysseus-Owner",
+        "X-Requested-With",
+        "X-TZ-Offset",
+    ],
 )

 # ========= SECURITY HEADERS MIDDLEWARE =========