Hardcoded Flask Secret Key & CORS Origins (SECURITY)

[linisha15]

Security: Hardcoded Flask Secret Key and CORS Origins

Description

The Flask application has security credentials and environment-specific settings hardcoded into the code:

1. SECRET_KEY- is hardcoded to '12345' (trivially guessable)
2. CORS origins-are hardcoded to http://127.0.0.1 or https://osemosys.herokuapp.com/
3. Deployment mode-is controlled by a hardcoded HEROKU_DEPLOY flag (also used in the frontend)

This pattern makes it difficult to securely deploy the application across different environments.

Why This Matters

Critical security risk : A hardcoded SECRET_KEY compromises session security, CSRF tokens, and JWT signatures
Inflexible deployments : Cannot easily move from dev → staging → production without modifying code
Version control leak : Sensitive values are committed to git history
Violates 12-factor app principles : Configuration should come from the environment, not the codebase

Locations

File: API/app.py

Line 45 : SECRET_KEY
Lines 59–64 : CORS configuration

Current Code (Vulnerable)

 Line 45 - HARDCODED SECRET:
app.config['SECRET_KEY'] = '12345'

Lines 59–64 - HARDCODED CORS:
if Config.HEROKU_DEPLOY == 1:
    CORS(app, origins=['https://osemosys.herokuapp.com/'])
else:
    CORS(app, origins=['http://127.0.0.1:3000', 'http://127.0.0.1:8080'])

File 2 : API/Classes/Base/Config.py
Lines : 42–43

 Hardcoded flags (should come from environment):
HEROKU_DEPLOY = 0
AWS_SYNC = 0

File 3 : Base.Class.js
Lines : 6–7, 12–19 (Frontend mirrors backend hardcoding)

static HEROKU = 0;
static AWS_SYNC = 0;

if (this.HEROKU == 0) {
    apiUrl = "http://127.0.0.1:5002/";  // Hardcoded
} else {
    apiUrl = "https://osemosys.herokuapp.com/";  // Hardcoded
}

Expected Behavior

• SECRET_KEY should be loaded from environment variable
• CORS origins should be configurable via environment (comma-separated list)
• Deployment mode should be determined by environment, not code flag
• Code should work identically in dev, staging, and production without modification

Acceptance Criteria

• Load SECRET_KEY from environment variable FLASK_SECRET_KEY (fallback to secure random if missing)
• Load CORS_ORIGINS from environment variable (e.g., "http://localhost:3000,https://prod.example.com")
• Load ENVIRONMENT from environment variable (dev/staging/prod) instead of hardcoded flag
• Update Config.py to read from environment
• Update Base.Class.js to load API URL from a runtime config file or environment
• Document required environment variables in README
• Test that app works with different environment configurations

[Sameer-00001]

Hi team, I’d like to claim this issue. I’ve already identified the hardcoded SECRET_KEY and the @app.after_request CORS override in app.py during my local setup. I'd like to move these to a .env configuration using python-dotenv. May I be assigned?

[NEHAJAKATE]

Hi! I’d like to work on this issue.

I’ve reviewed the problem and the affected areas (API/app.py, API/Classes/Base/Config.py, and frontend config). My plan is to replace hardcoded secrets and deployment flags with environment-driven configuration, add safe defaults for development, and document required variables.

I’ll start by mapping the current config flow and open a draft PR with the first implementation shortly. Happy to align with any preferred conventions.