From 706a54ae5a6631fd5f7bfd0f02f319ff9ad11d1f Mon Sep 17 00:00:00 2001
From: Dev Prashant <dev.prashant1901@gmail.com>
Date: Tue, 23 Jun 2026 22:52:18 +0530
Subject: [PATCH] fix(security): restrict wildcard CORS origin in Flask API

---
 backend/api.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/api.py b/backend/api.py
index 88162d9..80b2581 100644
--- a/backend/api.py
+++ b/backend/api.py
@@ -35,7 +35,8 @@
 load_dotenv()
 
 app = Flask(__name__)
-CORS(app, resources={r"/*": {"origins": "*" }})
+ALLOWED_ORIGIN = os.getenv("NODE_GATEWAY_ORIGIN", "http://localhost:3000")
+CORS(app, resources={r"/*": {"origins": ALLOWED_ORIGIN}})
 
 from functools import wraps
 from flask_jwt_extended import JWTManager, jwt_required, get_jwt_identity, verify_jwt_in_request