BUG: Restrict CORS middleware to only allow localhost origins instead of wildcard (*)

[srijan2607]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

Current configuration allows ANY origin to make requests to the local API, which:

• Creates potential security vulnerability
• Could allow malicious websites to access user's local photo data
• Violates privacy-first principle

Changes

• Updated CORS allow_origins to whitelist only known localhost origins
• Specified exact HTTP methods and headers instead of wildcards
• Added Tauri-specific origins for production builds

---

Before:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],  # Allows all origins
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

After:

app.add_middleware(
    CORSMiddleware,
    allow_origins=[
        "http://localhost:1420",  # Tauri dev server
        "http://localhost:5173",  # Vite dev server
        "tauri://localhost",      # Tauri production
        "https://tauri.localhost", # Tauri HTTPS
    ],
    allow_credentials=True,
    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
    allow_headers=["Content-Type", "Accept", "Authorization"],
)

Record

• I agree to follow this project's Code of Conduct

Checklist before Submitting

• Have you updated docs for it?
• Have you added unit tests?
• Have you made sure unit tests pass?
• Have you made sure code formatting is correct?
• Do Your changes passes all tests?

[srijan2607]

@rahulharpal1603 can you please assign this to me ?

[akshat3410]

Hi! @srijan2607 I'd like to work on this issue.
Can you please assign it to me if it's still available?

[Soham-0816]

Hello! can i work on this issue. I really would like to work on this.

[SnippyCodes]

Hello! @srijan2607 I am interested in working on this security improvement. I have already starred and forked the repository.

My Approach: I plan to restrict the CORSMiddleware to specific known origins instead of the current wildcard (*). This will include whitelisting http://localhost:1420 for the Tauri dev server and production-specific origins like tauri://localhost. I will also replace wildcard methods and headers with an explicit list (e.g., GET, POST, Content-Type) to follow the principle of least privilege.

Could you please assign this issue to me so I can begin? Thank you!

[singhabhimanyu9838]

@rahulharpal1603 Hi, I’m Abhimanyu
I’d like to work on this issue if it’s available.
Thanks!

[HardikaPaliwal]

Hi maintainers, I am interested in working over this issue, can you please assign it to me?