Bug: Fix CORS misconfiguration with wildcard and specific origins

[coderabbitai]

Description

The CORS configuration in backend/app/main.py is incorrectly set up:

allow_origins=["redloop.vercel.app", "*"],

Using both a specific domain AND wildcard "*" defeats the purpose of CORS security.

Problem

• The wildcard "*" allows all origins, making the specific domain pointless
• CORS protection is effectively disabled
• Any website can call your API

Expected Behavior

Should use environment variable with proper origin list:

CORS_ORIGINS = os.getenv("CORS_ORIGINS", "http://localhost:3000").split(",")

app.add_middleware(
    CORSMiddleware,
    allow_origins=CORS_ORIGINS,  # No wildcard!
    allow_credentials=True,
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["*"],
)

Fix Checklist

• Remove "*" from allow_origins
• Use CORS_ORIGINS environment variable
• Update backend/.env.example:

  CORS_ORIGINS=http://localhost:3000,https://redloop.vercel.app
  

• Restrict allowed methods (remove wildcards where possible)
• Test CORS in dev and production

Location

• File: backend/app/main.py
• Lines: 14-20
• Introduced in: Initial setup (not PR Kestra end to end integration with the frontend and backend #37 but still present)

Related

• Issue Configure CORS for frontend-backend communication #23 (CORS Configuration)
• Issue Add rate limiting and security headers #24 (Security headers)