Problem
The default CORS origin regex trusts the entire 192.168.42.0/24 lab subnet over plain HTTP, not just localhost.
Evidence
app/core/config.py:70 — default:
^https?://(localhost|127\.0\.0\.1|\[::1\]|192\.168\.42\.\d{1,3})(:\d+)?$
CORS is configured with allow_credentials=True.
Impact (High)
Any device on the deployment LAN (e.g. a compromised lab VM) can make credentialed cross-origin requests to the API. Combined with the no-auth-in-this-layer model (Kong is bypassed on direct access) and token-in-response exposure, this widens the blast radius significantly.
Suggested fix
Default to localhost-only; require an explicit, narrow CORS_ORIGIN_REGEX per deployment; prefer HTTPS-only. Document that subnet-wide origins are opt-in.
Problem
The default CORS origin regex trusts the entire
192.168.42.0/24lab subnet over plain HTTP, not just localhost.Evidence
app/core/config.py:70— default:^https?://(localhost|127\.0\.0\.1|\[::1\]|192\.168\.42\.\d{1,3})(:\d+)?$CORS is configured with
allow_credentials=True.Impact (High)
Any device on the deployment LAN (e.g. a compromised lab VM) can make credentialed cross-origin requests to the API. Combined with the no-auth-in-this-layer model (Kong is bypassed on direct access) and token-in-response exposure, this widens the blast radius significantly.
Suggested fix
Default to localhost-only; require an explicit, narrow
CORS_ORIGIN_REGEXper deployment; prefer HTTPS-only. Document that subnet-wide origins are opt-in.