security: Removed CORS_ALLOW_CREDENTIALS = True from CORS configuration. Dispatcharr authenticates via JWT Authorization headers and API keys — not cookies — so credentials are never sent cross-origin by browsers. The setting was also redundant: browsers reject Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin is a wildcard (*), so it had no effect in practice.

This commit is contained in:
SergeantPanda 2026-04-10 08:34:13 -05:00
parent b535f28ac5
commit 04a684b359

View file

@ -420,7 +420,6 @@ BACKUP_DATA_DIRS = [
SERVER_IP = "127.0.0.1"
CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_CREDENTIALS = True
CSRF_TRUSTED_ORIGINS = ["http://*", "https://*"]
APPEND_SLASH = True