From 04a684b359b675ba4e1107efa54f067c376426b2 Mon Sep 17 00:00:00 2001 From: SergeantPanda Date: Fri, 10 Apr 2026 08:34:13 -0500 Subject: [PATCH] =?UTF-8?q?security:=20Removed=20`CORS=5FALLOW=5FCREDENTIA?= =?UTF-8?q?LS=20=3D=20True`=20from=20CORS=20configuration.=20Dispatcharr?= =?UTF-8?q?=20authenticates=20via=20JWT=20`Authorization`=20headers=20and?= =?UTF-8?q?=20API=20keys=20=E2=80=94=20not=20cookies=20=E2=80=94=20so=20cr?= =?UTF-8?q?edentials=20are=20never=20sent=20cross-origin=20by=20browsers.?= =?UTF-8?q?=20The=20setting=20was=20also=20redundant:=20browsers=20reject?= =?UTF-8?q?=20`Access-Control-Allow-Credentials:=20true`=20when=20`Access-?= =?UTF-8?q?Control-Allow-Origin`=20is=20a=20wildcard=20(`*`),=20so=20it=20?= =?UTF-8?q?had=20no=20effect=20in=20practice.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dispatcharr/settings.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dispatcharr/settings.py b/dispatcharr/settings.py index db9284ff..e0eae919 100644 --- a/dispatcharr/settings.py +++ b/dispatcharr/settings.py @@ -420,7 +420,6 @@ BACKUP_DATA_DIRS = [ SERVER_IP = "127.0.0.1" CORS_ALLOW_ALL_ORIGINS = True -CORS_ALLOW_CREDENTIALS = True CSRF_TRUSTED_ORIGINS = ["http://*", "https://*"] APPEND_SLASH = True