From b8556c1990e14e3b00920917f6baf6808f93bcb6 Mon Sep 17 00:00:00 2001
From: Sumit Kumar <sumit76231@gmail.com>
Date: Sat, 13 Jun 2026 21:17:35 +0530
Subject: [PATCH] fix(security): restrict CORS allow_methods to GET, POST,
 OPTIONS

Wildcard allow_methods exposed DELETE, PUT, PATCH, TRACE etc.
Limit to the three methods the API actually uses to reduce
the cross-origin attack surface.
---
 backend/app/main.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/app/main.py b/backend/app/main.py
index 0f29f2b1..2b737976 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -20,7 +20,7 @@
     "http://localhost:5500",
     "https://cara-janavipandoles-projects.vercel.app",],  # update as needed
     allow_credentials=True,
-    allow_methods=["*"],
+    allow_methods=["GET", "POST", "OPTIONS"],
     allow_headers=["*"],
 )