From 94ec19cf07222b7b4c1db616a7b46aabc26b132b Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Fri, 6 Feb 2026 00:24:02 -0500
Subject: [PATCH] fix: only register debug endpoint when DEBUG=True

The /debug/cors endpoint is now conditionally registered, preventing
information leakage about CORS configuration in production.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/main.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/backend/app/main.py b/backend/app/main.py
index de184a15..d601ca4b 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -89,12 +89,13 @@ async def health_check():
     return {"status": "healthy"}
 
 
-@app.get("/debug/cors")
-async def debug_cors():
-    """Debug endpoint to check CORS configuration."""
-    return {
-        "allow_railway_origins": settings.ALLOW_RAILWAY_ORIGINS,
-        "cors_mode": "regex + list" if settings.ALLOW_RAILWAY_ORIGINS else "list",
-        "allowed_origins": settings.allowed_origins,
-        "railway_regex": r"https://.*\.up\.railway\.app" if settings.ALLOW_RAILWAY_ORIGINS else None
-    }
+if settings.DEBUG:
+    @app.get("/debug/cors")
+    async def debug_cors():
+        """Debug endpoint to check CORS configuration."""
+        return {
+            "allow_railway_origins": settings.ALLOW_RAILWAY_ORIGINS,
+            "cors_mode": "regex + list" if settings.ALLOW_RAILWAY_ORIGINS else "list",
+            "allowed_origins": settings.allowed_origins,
+            "railway_regex": r"https://.*\.up\.railway\.app" if settings.ALLOW_RAILWAY_ORIGINS else None
+        }