Allowed hosts and CORS hosts now moved to the config file

InvenTree/InvenTree/settings.py

@@ -38,14 +38,24 @@ SECRET_KEY = key_file.read().strip()
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.get('debug', True)
 
-ALLOWED_HOSTS = ['*']
+# List of allowed hosts (default = allow all)
+ALLOWED_HOSTS = CONFIG.get('allowed_hosts', ['*'])
 
-CORS_ORIGIN_WHITELIST = [
+# Cross Origin Resource Sharing (CORS) options
-]
 
-if DEBUG:
+# Only allow CORS access to API
-    print("Warning: DEBUG mode is enabled, CORS requests are allowed for any domain")
+CORS_URLS_REGEX = r'^/api/.*$'
-    CORS_ORIGIN_ALLOW_ALL = True
+
+# Extract CORS options from configuration file
+cors_opt = CONFIG.get('cors', None)
+
+if cors_opt:
+    CORS_ORIGIN_ALLOW_ALL = cors_opt.get('allow_all', False)
+
+    if CORS_ORIGIN_ALLOW_ALL:
+        print("Warning: DEBUG mode is enabled, CORS requests are allowed for any domain")
+    else:
+        CORS_ORIGIN_WHITELIST = cors_opt.get('whitelist', [])
 
 if DEBUG:
     # will output to your console

InvenTree/config.yaml

@@ -16,5 +16,22 @@ database:
 # Set debug to False to run in production mode
 debug: True
 
+# Allowed hosts (see ALLOWED_HOSTS in Django settings documentation)
+# A list of strings representing the host/domain names that this Django site can serve.
+# Default behaviour is to allow all hosts (THIS IS NOT SECURE!)
+allowed_hosts:
+  - '*'
+
+# Cross Origin Resource Sharing (CORS) settings (see https://github.com/ottoyiu/django-cors-headers)
+# Following parameters are 
+cors:
+  # CORS_ORIGIN_ALLOW_ALL - If True, the whitelist will not be used and all origins will be accepted. Defaults to False.
+  allow_all: False
+  
+  # CORS_ORIGIN_WHITELIST - A list of origins that are authorized to make cross-site HTTP requests. Defaults to []
+  # whitelist:
+  # - https://example.com
+  # - https://sub.example.com
+
 # Logging options
 log_queries: False