Implement proper CORS configuration for secure cross-origin usage

- Add flask-cors dependency and configure CORS with security best practices - Support configurable CORS origins via environment variables - Separate admin endpoint CORS configuration for enhanced security - Create comprehensive CORS configuration documentation - Add apiClient utility for CORS-aware frontend requests - Include CORS test page for validation - Update README with CORS configuration instructions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-02 23:51:27 -06:00
parent dc3e67e17b
commit b08574efe5
8 changed files with 1589 additions and 253 deletions
--- a/app.py
+++ b/app.py
@@ -5,6 +5,7 @@ import requests
 import json
 import logging
 from flask import Flask, render_template, request, jsonify, Response, send_file, send_from_directory, stream_with_context
+from flask_cors import CORS, cross_origin
 import whisper
 import torch
 import ollama
@@ -48,6 +49,33 @@ def with_error_boundary(func):

 app = Flask(__name__)

+# Configure CORS with security best practices
+cors_config = {
+    "origins": os.environ.get('CORS_ORIGINS', '*').split(','),  # Default to * for development, restrict in production
+    "methods": ["GET", "POST", "OPTIONS"],
+    "allow_headers": ["Content-Type", "Authorization", "X-Requested-With", "X-Admin-Token"],
+    "expose_headers": ["Content-Range", "X-Content-Range"],
+    "supports_credentials": True,
+    "max_age": 3600  # Cache preflight requests for 1 hour
+}
+
+# Apply CORS configuration
+CORS(app, resources={
+    r"/api/*": cors_config,
+    r"/transcribe": cors_config,
+    r"/translate": cors_config,
+    r"/translate/stream": cors_config,
+    r"/speak": cors_config,
+    r"/get_audio/*": cors_config,
+    r"/check_tts_server": cors_config,
+    r"/update_tts_config": cors_config,
+    r"/health/*": cors_config,
+    r"/admin/*": {
+        **cors_config,
+        "origins": os.environ.get('ADMIN_CORS_ORIGINS', 'http://localhost:*').split(',')
+    }
+})
+
 # Configure upload folder - use environment variable or default to secure temp directory
 default_upload_folder = os.path.join(tempfile.gettempdir(), 'talk2me_uploads')
 upload_folder = os.environ.get('UPLOAD_FOLDER', default_upload_folder)