mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-13 15:57:01 +08:00
security: configurable CORS origins, limit sentinel response body
- Add CORS_ALLOWED_ORIGINS config (comma-separated origins, default allow-all) - CORS middleware now validates Origin header against allowlist - Add io.LimitReader to sentinel.go (was unbounded, now 256KB) - Include previous: agent chat auth middleware + frontend token header
This commit is contained in:
@@ -38,6 +38,11 @@ type Config struct {
|
||||
// Set EXPERIENCE_IMPROVEMENT=false to disable
|
||||
ExperienceImprovement bool
|
||||
|
||||
// CORS configuration
|
||||
// Comma-separated list of allowed origins. Empty or "*" means allow all.
|
||||
// Example: "http://localhost:5173,https://nofx.example.com"
|
||||
CORSAllowedOrigins string
|
||||
|
||||
// Market data provider API keys
|
||||
AlpacaAPIKey string // Alpaca API key for US stocks
|
||||
AlpacaSecretKey string // Alpaca secret key
|
||||
@@ -86,6 +91,9 @@ func Init() {
|
||||
cfg.ExperienceImprovement = strings.ToLower(v) != "false"
|
||||
}
|
||||
|
||||
// CORS allowed origins (comma-separated, empty = allow all)
|
||||
cfg.CORSAllowedOrigins = os.Getenv("CORS_ALLOWED_ORIGINS")
|
||||
|
||||
// Market data provider API keys
|
||||
cfg.AlpacaAPIKey = os.Getenv("ALPACA_API_KEY")
|
||||
cfg.AlpacaSecretKey = os.Getenv("ALPACA_SECRET_KEY")
|
||||
|
||||
Reference in New Issue
Block a user