feat: add CORS setting for the backend application (#443)

* feat: add CORS setting for the backend application

* fix the formate issue

.env.example

@@ -7,6 +7,11 @@ NEXT_PUBLIC_API_URL="http://localhost:8000/api"
 
 AGENT_RECURSION_LIMIT=30
 
+# CORS settings
+# Comma-separated list of allowed origins for CORS requests
+# Example: ALLOWED_ORIGINS=http://localhost:3000,http://example.com
+ALLOWED_ORIGINS=http://localhost:3000
+
 # Search Engine, Supported values: tavily (recommended), duckduckgo, brave_search, arxiv
 SEARCH_API=tavily
 TAVILY_API_KEY=tvly-xxx

src/server/app.py

@@ -53,12 +53,17 @@ app = FastAPI(
 )
 
 # Add CORS middleware
+# It's recommended to load the allowed origins from an environment variable
+# for better security and flexibility across different environments.
+allowed_origins_str = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000")
+allowed_origins = [origin.strip() for origin in allowed_origins_str.split(",")]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Allows all origins
+    allow_origins=allowed_origins,  # Restrict to specific origins
     allow_credentials=True,
-    allow_methods=["*"],  # Allows all methods
-    allow_headers=["*"],  # Allows all headers
+    allow_methods=["GET", "POST"],  # Be specific about allowed methods
+    allow_headers=["Content-Type", "Authorization", "X-Requested-With"],  # Be specific
 )
 
 graph = build_graph_with_memory()