added ability to disable cors at the backend

2026-01-22 13:38:10 -05:00 · 2025-09-11 09:59:47 +02:00
3 changed files with 29 additions and 15 deletions
--- a/autogpt_platform/backend/backend/server/rest_api.py
+++ b/autogpt_platform/backend/backend/server/rest_api.py
@@ -252,6 +252,8 @@ async def health():
 class AgentServer(backend.util.service.AppProcess):
    def run(self):
        if settings.config.enable_cors_all_origins:
            server_app = starlette.middleware.cors.CORSMiddleware(
                app=app,
                allow_origins=settings.config.backend_cors_allow_origins,
@@ -259,6 +261,10 @@ class AgentServer(backend.util.service.AppProcess):
                allow_methods=["*"],  # Allows all methods
                allow_headers=["*"],  # Allows all headers
            )
        else:
            logger.info("CORS is disabled")
            server_app = app
        uvicorn.run(
            server_app,
            host=backend.util.settings.Config().agent_api_host,
--- a/autogpt_platform/backend/backend/server/ws_api.py
+++ b/autogpt_platform/backend/backend/server/ws_api.py
@@ -295,7 +295,7 @@ async def health():
 class WebsocketServer(AppProcess):
    def run(self):
-        logger.info(f"CORS allow origins: {settings.config.backend_cors_allow_origins}")
+        if settings.config.enable_cors_all_origins:
            server_app = CORSMiddleware(
                app=app,
                allow_origins=settings.config.backend_cors_allow_origins,
@@ -303,6 +303,9 @@ class WebsocketServer(AppProcess):
                allow_methods=["*"],
                allow_headers=["*"],
            )
        else:
            logger.info("CORS is disabled")
            server_app = app
        uvicorn.run(
            server_app,
--- a/autogpt_platform/backend/backend/util/settings.py
+++ b/autogpt_platform/backend/backend/util/settings.py
@@ -368,6 +368,11 @@ class Config(UpdateTrackingModel["Config"], BaseSettings):
        description="Maximum message size limit for communication with the message bus",
    )
    enable_cors_all_origins: bool = Field(
        default=True,
        description="Whether to enable all CORS origins",
    )
    backend_cors_allow_origins: List[str] = Field(default=["http://localhost:3000"])
    @field_validator("backend_cors_allow_origins")