Allowed hosts and CORS hosts now moved to the config file

This commit is contained in:
Oliver Walters 2019-07-10 23:25:15 +10:00
parent b941a4115f
commit 820d8da2ef
2 changed files with 33 additions and 6 deletions

View File

@ -38,14 +38,24 @@ SECRET_KEY = key_file.read().strip()
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = CONFIG.get('debug', True)
ALLOWED_HOSTS = ['*']
# List of allowed hosts (default = allow all)
ALLOWED_HOSTS = CONFIG.get('allowed_hosts', ['*'])
CORS_ORIGIN_WHITELIST = [
]
# Cross Origin Resource Sharing (CORS) options
if DEBUG:
print("Warning: DEBUG mode is enabled, CORS requests are allowed for any domain")
CORS_ORIGIN_ALLOW_ALL = True
# Only allow CORS access to API
CORS_URLS_REGEX = r'^/api/.*$'
# Extract CORS options from configuration file
cors_opt = CONFIG.get('cors', None)
if cors_opt:
CORS_ORIGIN_ALLOW_ALL = cors_opt.get('allow_all', False)
if CORS_ORIGIN_ALLOW_ALL:
print("Warning: DEBUG mode is enabled, CORS requests are allowed for any domain")
else:
CORS_ORIGIN_WHITELIST = cors_opt.get('whitelist', [])
if DEBUG:
# will output to your console

View File

@ -16,5 +16,22 @@ database:
# Set debug to False to run in production mode
debug: True
# Allowed hosts (see ALLOWED_HOSTS in Django settings documentation)
# A list of strings representing the host/domain names that this Django site can serve.
# Default behaviour is to allow all hosts (THIS IS NOT SECURE!)
allowed_hosts:
- '*'
# Cross Origin Resource Sharing (CORS) settings (see https://github.com/ottoyiu/django-cors-headers)
# Following parameters are
cors:
# CORS_ORIGIN_ALLOW_ALL - If True, the whitelist will not be used and all origins will be accepted. Defaults to False.
allow_all: False
# CORS_ORIGIN_WHITELIST - A list of origins that are authorized to make cross-site HTTP requests. Defaults to []
# whitelist:
# - https://example.com
# - https://sub.example.com
# Logging options
log_queries: False