From 67f1675130aa5168acca743bae538e18be7eac91 Mon Sep 17 00:00:00 2001
From: pewdiepie-archdaemon <pewdiepie-archdaemon@users.noreply.github.com>
Date: Mon, 1 Jun 2026 10:54:08 +0900
Subject: [PATCH] Restrict credentialed CORS headers

---
 app.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 48ad3cf..0156ae4 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,17 @@ app.add_middleware(
     allow_origins=allowed_origins,
     allow_credentials=True,
     allow_methods=["GET", "POST", "PUT", "DELETE"],
-    allow_headers=["*"],
+    allow_headers=[
+        "Accept",
+        "Authorization",
+        "Content-Type",
+        "X-API-Key",
+        "X-Auth-Token",
+        "X-Odysseus-Internal-Token",
+        "X-Odysseus-Owner",
+        "X-Requested-With",
+        "X-TZ-Offset",
+    ],
 )
 
 # ========= SECURITY HEADERS MIDDLEWARE =========