add env vars to configure cors headers

aws/backend.json

@@ -33,6 +33,10 @@
           "name": "CSRF_TRUSTED_ORIGINS",
           "value": "[\"http://care-django-staging\", \"https://care.coronasafe.in\", \"https://careapi.coronasafe.in\", \"https://care.ohc.network\", \"https://careapi.ohc.network\"]"
         },
+        {
+          "name": "CORS_ALLOWED_ORIGINS",
+          "value": "[\"https://care.coronasafe.in\", \"https://careapi.coronasafe.in\", \"https://care.ohc.network\", \"https://careapi.ohc.network\", \"https://status.10bedicu.org\"]"
+        },
         {
           "name": "CURRENT_DOMAIN",
           "value": "https://care.ohc.network"

config/settings/base.py

@@ -253,8 +253,6 @@
 # https://docs.djangoproject.com/en/dev/ref/settings/#csrf-trusted-origins
 CSRF_TRUSTED_ORIGINS = env.json("CSRF_TRUSTED_ORIGINS", default=[])
 
-# https://github.com/adamchainz/django-cors-headers#cors_allow_all_origins-bool
-CORS_ORIGIN_ALLOW_ALL = True  # WARNING: This is not secure
 # https://github.com/adamchainz/django-cors-headers#cors_allowed_origin_regexes-sequencestr--patternstr
 # CORS_URLS_REGEX = r"^/api/.*$"
 

config/settings/deployment.py

@@ -39,6 +39,8 @@
 SECURE_CONTENT_TYPE_NOSNIFF = env.bool(
     "DJANGO_SECURE_CONTENT_TYPE_NOSNIFF", default=True
 )
+# https://github.com/adamchainz/django-cors-headers#cors_allowed_origins-sequencestr
+CORS_ALLOWED_ORIGINS = env.json("CORS_ALLOWED_ORIGINS", default=[])
 
 # TEMPLATES
 # ------------------------------------------------------------------------------

config/settings/local.py

@@ -1,5 +1,8 @@
 from .base import *  # noqa
 
+# https://github.com/adamchainz/django-cors-headers#cors_allow_all_origins-bool
+CORS_ORIGIN_ALLOW_ALL = True
+
 # WhiteNoise
 # ------------------------------------------------------------------------------
 # http://whitenoise.evans.io/en/latest/django.html#using-whitenoise-in-development