Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork16.7k
Comments
Provide a configuration option to control automatic option responses#5496
Provide a configuration option to control automatic option responses#5496pgjones merged 1 commit intopallets:mainfrom
Conversation
By default Flask will provide responses to OPTIONS requests that areautomatically generated. These responses list the valid methods in theresponse headers. Whilst this is useful, it can be frowned on byauditors hence an ability to disable it wholesale is useful.
davidism commentedJun 6, 2024
Does this make sense as a config option? Lately I've been tending to use init params instead of config unless it actually makes sense to change something per deployment. (And you could still change it per deployment, you'd just have to do it manually in the app factory.) It seems like you'd either want automatic options or not. How would this interact with |
pgjones commentedJun 7, 2024
I would probably have different values in development and production given the information is useful in development. I do this via environment variables and the config.from_prefixed_env, so a config variable would be the easiest. I'd also argue it is more consistent with the other Flask options.
I think these would manage the OPTIONS responses directly anyway and this could make it easier to turn off the Flask default, e.g.Flask-CORS. |
By default Flask will provide responses to OPTIONS requests that are automatically generated. These responses list the valid methods in the response headers. Whilst this is useful, it can be frowned on by auditors hence an ability to disable it wholesale is useful.