diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 86d15e30987..1893738636f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -157,6 +157,7 @@ Flowise support different environment variables to configure your instance. You | Variable | Description | Type | Default | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | | PORT | The HTTP port Flowise runs on | Number | 3000 | +| CORS_ALLOW_CREDENTIALS | Enables CORS `Access-Control-Allow-Credentials` when `true` | Boolean | false | | CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | | | IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | | | FLOWISE_FILE_SIZE_LIMIT | Upload File Size Limit | String | 50mb | diff --git a/docker/.env.example b/docker/.env.example index 0f5a6717d83..e1832e6350f 100644 --- a/docker/.env.example +++ b/docker/.env.example @@ -74,6 +74,7 @@ PORT=3000 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb diff --git a/docker/worker/.env.example b/docker/worker/.env.example index 83a7d3a9bf2..6ea8b475e44 100644 --- a/docker/worker/.env.example +++ b/docker/worker/.env.example @@ -74,6 +74,7 @@ WORKER_PORT=5566 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb diff --git a/packages/server/.env.example b/packages/server/.env.example index 2af7f61362d..5b932c3fa8a 100644 --- a/packages/server/.env.example +++ b/packages/server/.env.example @@ -73,6 +73,7 @@ PORT=3000 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts index bbb31910e9e..02d6a43d898 100644 --- a/packages/server/src/index.ts +++ b/packages/server/src/index.ts @@ -205,11 +205,6 @@ export class App { // Add the sanitizeMiddleware to guard against XSS this.app.use(sanitizeMiddleware) - this.app.use((req, res, next) => { - res.header('Access-Control-Allow-Credentials', 'true') // Allow credentials (cookies, etc.) - if (next) next() - }) - const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : [] const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url)) const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i diff --git a/packages/server/src/utils/XSS.ts b/packages/server/src/utils/XSS.ts index a42d2d6ddf0..06fa80dfa0f 100644 --- a/packages/server/src/utils/XSS.ts +++ b/packages/server/src/utils/XSS.ts @@ -25,6 +25,10 @@ export function getAllowedCorsOrigins(): string { return process.env.CORS_ORIGINS ?? '' } +export function getAllowCredentials(): boolean { + return process.env.CORS_ALLOW_CREDENTIALS === 'true' +} + function parseAllowedOrigins(allowedOrigins: string): string[] { if (!allowedOrigins) { return [] @@ -41,6 +45,7 @@ function parseAllowedOrigins(allowedOrigins: string): string[] { export function getCorsOptions(): any { return (req: any, callback: (err: Error | null, options?: any) => void) => { const corsOptions = { + credentials: getAllowCredentials(), origin: async (origin: string | undefined, originCallback: (err: Error | null, allow?: boolean) => void) => { const allowedOrigins = getAllowedCorsOrigins() const isPublicChatflowReq = isPublicChatflowRequest(req.url)