From ecc96a3e283595329dcf62d3c4c4ee0a9a0cf3df Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Thu, 22 Jan 2026 13:58:09 -0700
Subject: [PATCH] feat: Restrict CORS origin to public_base_url if set

Co-authored-by: aider (gemini/gemini-2.5-pro) <aider@aider.chat>
---
 app/app.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/app.py b/app/app.py
index 9b10d78..65569b1 100644
--- a/app/app.py
+++ b/app/app.py
@@ -41,16 +41,20 @@ from app.config import Settings, load_settings
 
 # ---- App & static ----
 app = FastAPI(title="Immich Drop Uploader (Python)")
+# Global settings (read-only at runtime)
+SETTINGS: Settings = load_settings()
+
+# CORS
+origins = ["*"]
+if SETTINGS.public_base_url:
+    origins = [SETTINGS.public_base_url.strip().rstrip('/')]
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
-
-# Global settings (read-only at runtime)
-SETTINGS: Settings = load_settings()
 _public_uploads_enabled_runtime = SETTINGS.public_upload_page_enabled