Skip to content

fix(docker): configure CORS for frontend in docker-compose#1700

Open
anshul23102 wants to merge 2 commits into
utksh1:mainfrom
anshul23102:fix/1622-docker-cors
Open

fix(docker): configure CORS for frontend in docker-compose#1700
anshul23102 wants to merge 2 commits into
utksh1:mainfrom
anshul23102:fix/1622-docker-cors

Conversation

@anshul23102

Copy link
Copy Markdown
Contributor

Fixes #1622

The docker-compose configuration was missing CORS setup for the frontend service. Frontend runs on port 5173, API on port 8081. Without explicit CORS_ALLOWED_ORIGINS, the backend's CORS middleware would reject requests from the frontend, blocking API calls.

Fix: set SECUSCAN_CORS_ALLOWED_ORIGINS environment variable in the api service to allow requests from:

This ensures the frontend can make API calls whether accessed via localhost, IP, or internal Docker service name.

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. The Docker/CORS idea may be useful, but this PR needs to be narrowed before it can be reviewed safely:\n\n1. The PR title says fix(docker): configure CORS for frontend in docker-compose, but the diff also includes a substantial unrelated parser-sandbox / network-isolation change. Please split that into a separate PR.\n2. Add focused validation for the Docker/CORS part itself. Right now the PR does not include clear coverage proving the compose change is needed and correct.\n3. Keep this PR single-purpose: Docker/CORS only.\n\nOnce the unrelated security/parser changes are removed and the scope is clean, I’m happy to re-review this.

@utksh1 utksh1 added type:bug Bug fix work category bonus label area:backend Backend API, database, or service work level:beginner 20 pts difficulty label for small beginner-friendly PRs type:devops DevOps or infrastructure work category bonus label area:ci CI, tooling, or automation work and removed type:bug Bug fix work category bonus label area:backend Backend API, database, or service work labels Jul 7, 2026
Issue utksh1#1622: the docker-compose configuration was missing CORS setup for
the frontend service. Frontend runs on port 5173, API on port 8081, both
accessible via multiple origins (localhost, 127.0.0.1, and the Docker
service name 'frontend'). Without explicit CORS_ALLOWED_ORIGINS, the
backend's CORS middleware would reject requests from the frontend,
blocking API calls.

Fix: set SECUSCAN_CORS_ALLOWED_ORIGINS environment variable in the api
service to allow requests from http://localhost:5173, http://127.0.0.1:5173,
and http://frontend:5173 (Docker internal DNS). This ensures the frontend
can make API calls whether accessed via localhost, IP, or internal Docker
service name.

Fixes utksh1#1622
Parses docker-compose.yml directly (no Docker required) to assert the api
service sets SECUSCAN_CORS_ALLOWED_ORIGINS and that it covers every origin
the frontend can be reached through: localhost, 127.0.0.1, and the
Docker-internal 'frontend' service DNS name.

Addresses review feedback on utksh1#1700 asking for focused validation that the
compose change is needed and correct.
@anshul23102 anshul23102 force-pushed the fix/1622-docker-cors branch from 844f946 to 1a18834 Compare July 8, 2026 04:05
@anshul23102

Copy link
Copy Markdown
Contributor Author

Thanks for the review -- done. Pushed a cleaned-up branch:

Ready for another look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:ci CI, tooling, or automation work level:beginner 20 pts difficulty label for small beginner-friendly PRs type:devops DevOps or infrastructure work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Docker Compose binds backend to 0.0.0.0 with no CORS policy

2 participants