Skip to content

fix: secure production defaults#229

Open
0xNyk wants to merge 1 commit into666ghj:mainfrom
0xNyk:fix/secure-defaults
Open

fix: secure production defaults#229
0xNyk wants to merge 1 commit into666ghj:mainfrom
0xNyk:fix/secure-defaults

Conversation

@0xNyk
Copy link

@0xNyk 0xNyk commented Mar 17, 2026
edited
Loading

Summary

  • Default DEBUG to False instead of True
  • Generate random SECRET_KEY if not set (remove hardcoded fallback)
  • Configure CORS origins from CORS_ORIGINS env var instead of wildcard *
  • Default host to 127.0.0.1 instead of 0.0.0.0
  • Add security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)

Test plan

  • Verify backend starts with no env vars set
  • Verify CORS_ORIGINS env var is respected
  • Check response headers include security headers

@0xNyk
fix: secure production defaults
1413b9c 
- Default DEBUG to False instead of True
- Generate random SECRET_KEY if not set (no hardcoded fallback)
- Configure CORS origins from env instead of wildcard
- Default host to 127.0.0.1 instead of 0.0.0.0
- Add security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
@0xNyk
Copy link
Author

0xNyk commented Mar 17, 2026

Verification

All checks pass on merged code:

Test Result
DEBUG defaults to False ✅ PASS
SECRET_KEY is random 64-char hex (not hardcoded) ✅ PASS
CORS_ORIGINS configurable from env ✅ PASS
Security headers in responses ✅ PASS
create_app() succeeds ✅ PASS 
DEBUG default: False
SECRET_KEY is random: True
SECRET_KEY length: 64
CORS_ORIGINS: ['http://localhost:3000']

@ChinmayShringi ChinmayShringi mentioned this pull request Mar 17, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xNyk