Skip to content

fix: allow api key cors preflight#1575

Open
Tomeshwari-02 wants to merge 1 commit into
utksh1:mainfrom
Tomeshwari-02:fix/cors-api-key-header
Open

fix: allow api key cors preflight#1575
Tomeshwari-02 wants to merge 1 commit into
utksh1:mainfrom
Tomeshwari-02:fix/cors-api-key-header

Conversation

@Tomeshwari-02

Copy link
Copy Markdown
Contributor

Summary

  • add X-Api-Key to the default CORS allowed headers
  • update CORS preflight tests to request and assert the API-key header
  • document the SECUSCAN_CORS_ALLOWED_HEADERS default and override requirement

Why

The browser auth flow sends X-Api-Key when establishing a session. Cross-origin browser frontends need the preflight response to allow that header.

Fixes #1554

Validation

  • python -m pytest testing/backend/integration/test_cors.py -q

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a merge conflict with the main branch. Please rebase your branch on the latest main to resolve the conflicts.

@utksh1 utksh1 added type:bug Bug fix work category bonus label area:backend Backend API, database, or service work level:intermediate 35 pts difficulty label for moderate contributor PRs priority:medium Important issue with normal urgency labels Jul 3, 2026

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this contribution! I've reviewed the proposal and it looks like a valid addition. However, this branch currently has Git merge conflicts with main. Could you please pull the latest changes from upstream, resolve the conflicts, and push the rebased branch so we can continue the review process?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work level:intermediate 35 pts difficulty label for moderate contributor PRs priority:medium Important issue with normal urgency type:bug Bug fix work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Default CORS allowed headers omit X-Api-Key used by browser authentication

2 participants