From 887a20f06e83d35cacc82956a73d9d471d3b0971 Mon Sep 17 00:00:00 2001
From: Zakir Jiwani <zakirjiw@gmail.com>
Date: Tue, 17 Mar 2026 04:55:06 -0400
Subject: [PATCH] feat: CORS_ALLOWED_ORIGINS configurable via environment
 variable (#10355)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
---
 api/CHANGELOG.md                            | 4 ++++
 api/src/backend/config/django/production.py | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index 79e49d2b3b..023abaeb40 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ## [1.22.0] (Prowler UNRELEASED)
 
+### 🚀 Added
+
+- `CORS_ALLOWED_ORIGINS` configurable via environment variable [(#10355)](https://github.com/prowler-cloud/prowler/pull/10355)
+
 ### 🔄 Changed
 
 - Attack Paths: Complete migration to private graph labels and properties, removing deprecated dual-write support [(#10268)](https://github.com/prowler-cloud/prowler/pull/10268)
diff --git a/api/src/backend/config/django/production.py b/api/src/backend/config/django/production.py
index b2769237fc..91bd50d0d1 100644
--- a/api/src/backend/config/django/production.py
+++ b/api/src/backend/config/django/production.py
@@ -3,6 +3,10 @@ from config.env import env
 
 DEBUG = env.bool("DJANGO_DEBUG", default=False)
 ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["localhost", "127.0.0.1"])
+CORS_ALLOWED_ORIGINS = env.list(
+    "DJANGO_CORS_ALLOWED_ORIGINS",
+    default=["http://localhost", "http://127.0.0.1"],
+)
 
 # Database
 # TODO Use Django database routers https://docs.djangoproject.com/en/5.0/topics/db/multi-db/#automatic-database-routing