Context
From architectural review item 3.
Problem
src/api/main.py sets allow_origins=["*"], allow_methods=["*"], allow_headers=["*"]. This is fine during early development but should be locked down before any real data is served.
Suggested approach
- Move CORS origins to an environment variable (e.g.,
API_CORS_ORIGINS), defaulting to ["https://person-validator.exe.xyz"] in production.
- Keep
* gated behind a DEBUG-like flag.
- Lock down methods and headers to only what's needed.
Context
From architectural review item 3.
Problem
src/api/main.pysetsallow_origins=["*"],allow_methods=["*"],allow_headers=["*"]. This is fine during early development but should be locked down before any real data is served.Suggested approach
API_CORS_ORIGINS), defaulting to["https://person-validator.exe.xyz"]in production.*gated behind aDEBUG-like flag.