don't use wildcard for CORS allow headers

lucat1 · Dec 13, 2023 · a7970ec · a7970ec
1 parent 8b7c33d
commit a7970ec
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/server/src/api/mod.rs b/server/src/api/mod.rs
@@ -6,7 +6,7 @@ mod internal;
 pub mod jsonapi;
 mod tempo;
 
-use axum::Router;
+use axum::{Router, http::header::{ACCEPT, AUTHORIZATION}};
 use base::database::get_database;
 pub use error::Error;
 use eyre::Result;
@@ -23,7 +23,7 @@ pub fn router() -> Result<Router> {
     let cors = CorsLayer::new()
         .allow_methods(Any)
         .allow_origin(Any)
-        .allow_headers(Any);
+        .allow_headers([AUTHORIZATION, ACCEPT]);
     let tracing = TraceLayer::new_for_http();
     let conn = get_database()?.clone();
     Ok(Router::new()