diff --git a/inventory_api/settings.py b/inventory_api/settings.py index 0ffbffb..7fe4902 100644 --- a/inventory_api/settings.py +++ b/inventory_api/settings.py @@ -38,9 +38,12 @@ 'django.contrib.messages', 'django.contrib.staticfiles', 'entities', + 'corsheaders', ] MIDDLEWARE = [ + 'corsheaders.middleware.CorsMiddleware', + # keep CorsMiddleware as high as possible (before CommonMiddleware) 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', @@ -116,3 +119,20 @@ # https://docs.djangoproject.com/en/6.0/howto/static-files/ STATIC_URL = 'static/' + +# CORS settings: use environment variable CORS_ALLOWED_ORIGINS (comma-separated) in production +import os + +_cors_origins = os.environ.get('CORS_ALLOWED_ORIGINS') +if _cors_origins: + CORS_ALLOWED_ORIGINS = [u.strip() for u in _cors_origins.split(',') if u.strip()] +else: + # safe default for development when using a local frontend dev server + CORS_ALLOWED_ORIGINS = [ + 'http://localhost:5173', + 'http://127.0.0.1:5173', + ] + +# If you need cookie authentication across origins enable credentials +# CORS_ALLOW_CREDENTIALS = True +