From 26ff80a682f23a2b7743702761711e5b4df61daa Mon Sep 17 00:00:00 2001
From: Marko Djordjevic <marko.homoludens@gmail.com>
Date: Wed, 18 Feb 2026 11:02:00 +0100
Subject: [PATCH] fix: implement CORS origins configuration via environment
 variable

- Replace hardcoded allow_origins=['*'] with dynamic configuration
- Read CORS_ORIGINS environment variable (comma-separated list)
- Default to 'http://localhost:3000' if CORS_ORIGINS is not set
- Support multiple origins by splitting and stripping whitespace from env var
---
 services/ml/app/main.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/ml/app/main.py b/services/ml/app/main.py
index d93955f..c3ffea8 100644
--- a/services/ml/app/main.py
+++ b/services/ml/app/main.py
@@ -5,6 +5,7 @@ Provides REST API endpoints for model serving, health checks, and prediction.
 """
 
 import logging
+import os
 import re
 import threading
 import uuid as uuid_lib
@@ -48,10 +49,14 @@ app = FastAPI(
     version="1.0.0"
 )
 
+# Parse CORS origins from environment variable or use default
+cors_origins_str = os.getenv("CORS_ORIGINS", "http://localhost:3000")
+allow_origins = [origin.strip() for origin in cors_origins_str.split(",")]
+
 # CORS middleware
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # In production, specify actual origins
+    allow_origins=allow_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],