From 0a9263213488b75f49fca00f4441cc4fd443043b Mon Sep 17 00:00:00 2001 From: Justin Head Date: Fri, 6 Mar 2026 18:30:45 -0800 Subject: [PATCH 1/5] feat(auth): support CORS credentials via env var --- packages/server/src/utils/XSS.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/server/src/utils/XSS.ts b/packages/server/src/utils/XSS.ts index a42d2d6ddf0..06fa80dfa0f 100644 --- a/packages/server/src/utils/XSS.ts +++ b/packages/server/src/utils/XSS.ts @@ -25,6 +25,10 @@ export function getAllowedCorsOrigins(): string { return process.env.CORS_ORIGINS ?? '' } +export function getAllowCredentials(): boolean { + return process.env.CORS_ALLOW_CREDENTIALS === 'true' +} + function parseAllowedOrigins(allowedOrigins: string): string[] { if (!allowedOrigins) { return [] @@ -41,6 +45,7 @@ function parseAllowedOrigins(allowedOrigins: string): string[] { export function getCorsOptions(): any { return (req: any, callback: (err: Error | null, options?: any) => void) => { const corsOptions = { + credentials: getAllowCredentials(), origin: async (origin: string | undefined, originCallback: (err: Error | null, allow?: boolean) => void) => { const allowedOrigins = getAllowedCorsOrigins() const isPublicChatflowReq = isPublicChatflowRequest(req.url) From 82f43bd1acb1ef653fedf78ec143080365eefb4f Mon Sep 17 00:00:00 2001 From: Justin Head Date: Fri, 20 Mar 2026 15:27:22 -0700 Subject: [PATCH 2/5] remove dead cors code --- packages/server/src/index.ts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts index bbb31910e9e..02d6a43d898 100644 --- a/packages/server/src/index.ts +++ b/packages/server/src/index.ts @@ -205,11 +205,6 @@ export class App { // Add the sanitizeMiddleware to guard against XSS this.app.use(sanitizeMiddleware) - this.app.use((req, res, next) => { - res.header('Access-Control-Allow-Credentials', 'true') // Allow credentials (cookies, etc.) - if (next) next() - }) - const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : [] const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url)) const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i From e3f16044643a929882f8e73aff88fd09fe240d35 Mon Sep 17 00:00:00 2001 From: Justin Head Date: Fri, 20 Mar 2026 16:33:32 -0700 Subject: [PATCH 3/5] update CONTRIBUTING.md --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 86d15e30987..ef52355125f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -157,6 +157,7 @@ Flowise support different environment variables to configure your instance. You | Variable | Description | Type | Default | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | | PORT | The HTTP port Flowise runs on | Number | 3000 | +| CORS_ALLOW_CREDENTIALS | Enables CORS `Access-Control-Allow-Credentials` when `true` | | CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | | | IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | | | FLOWISE_FILE_SIZE_LIMIT | Upload File Size Limit | String | 50mb | From 22a18033028627b7de838b7c4391ecb4ab1742f1 Mon Sep 17 00:00:00 2001 From: Justin Head Date: Fri, 20 Mar 2026 16:34:43 -0700 Subject: [PATCH 4/5] update CONTRIBUTING.md --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ef52355125f..1893738636f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -157,7 +157,7 @@ Flowise support different environment variables to configure your instance. You | Variable | Description | Type | Default | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | | PORT | The HTTP port Flowise runs on | Number | 3000 | -| CORS_ALLOW_CREDENTIALS | Enables CORS `Access-Control-Allow-Credentials` when `true` | +| CORS_ALLOW_CREDENTIALS | Enables CORS `Access-Control-Allow-Credentials` when `true` | Boolean | false | | CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | | | IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | | | FLOWISE_FILE_SIZE_LIMIT | Upload File Size Limit | String | 50mb | From 6e84604f90b0b89688911b4c79b0720be7c40f3f Mon Sep 17 00:00:00 2001 From: Justin Head Date: Fri, 20 Mar 2026 16:36:03 -0700 Subject: [PATCH 5/5] update .env examples --- docker/.env.example | 1 + docker/worker/.env.example | 1 + packages/server/.env.example | 1 + 3 files changed, 3 insertions(+) diff --git a/docker/.env.example b/docker/.env.example index 0f5a6717d83..e1832e6350f 100644 --- a/docker/.env.example +++ b/docker/.env.example @@ -74,6 +74,7 @@ PORT=3000 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb diff --git a/docker/worker/.env.example b/docker/worker/.env.example index 83a7d3a9bf2..6ea8b475e44 100644 --- a/docker/worker/.env.example +++ b/docker/worker/.env.example @@ -74,6 +74,7 @@ WORKER_PORT=5566 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb diff --git a/packages/server/.env.example b/packages/server/.env.example index 2af7f61362d..5b932c3fa8a 100644 --- a/packages/server/.env.example +++ b/packages/server/.env.example @@ -73,6 +73,7 @@ PORT=3000 ############################################################################################################ # NUMBER_OF_PROXIES= 1 +# CORS_ALLOW_CREDENTIALS=false # CORS_ORIGINS=* # IFRAME_ORIGINS=* # FLOWISE_FILE_SIZE_LIMIT=50mb