github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #8998] More secure defaults: Disable CORS, and only bind to localhost #15351

New Issue
Closed
opened 2026-04-19 21:35:25 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-19 21:35:25 -05:00
Owner
Copy Link

Originally created by @joliss on GitHub (Jan 27, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8998

CORS

If I understand the CORS warning below correctly, open-webui by default allows CORS requests from any origin. I might misunderstand and it actually has an additional security layer that stops misuse of this, but at first blush, this seems like something I definitely don't want, since it might allow any website that I'm opening in my browser to send CORS requests to localhost:8080 to download my chat history or run LLM requests.

$ open-webui serve --host localhost
Loading WEBUI_SECRET_KEY from file, not provided as an environment variable.
Loading WEBUI_SECRET_KEY from /Users/primary/.webui_secret_key
/opt/homebrew/lib/python3.11/site-packages/open_webui
/opt/homebrew/lib/python3.11/site-packages
/opt/homebrew/lib/python3.11
Running migrations
INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
INFO  [open_webui.env] 'DEFAULT_LOCALE' loaded from the latest database entry
INFO  [open_webui.env] 'DEFAULT_PROMPT_SUGGESTIONS' loaded from the latest database entry
WARNI [open_webui.env]

WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.

INFO  [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2
WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests.

  ___                    __        __   _     _   _ ___
 / _ \ _ __   ___ _ __   \ \      / /__| |__ | | | |_ _|
| | | | '_ \ / _ \ '_ \   \ \ /\ / / _ \ '_ \| | | || |
| |_| | |_) |  __/ | | |   \ V  V /  __/ |_) | |_| || |
 \___/| .__/ \___|_| |_|    \_/\_/ \___|_.__/ \___/|___|
      |_|


v0.5.7 - building the best open-source AI user interface.

https://github.com/open-webui/open-webui

I figured out that CORS_ALLOW_ORIGIN=http://localhost open-webui serve probably disallows CORS from non-localhost origins. (I first tried CORS_ALLOW_ORIGIN= open-webui serve, but it crashed.)

Perhaps the UX and security could be improved by having CORS disallowed by default, and only allow it if CORS_ALLOW_ORIGIN is explicitly set. (For reference, CORS_ALLOW_ORIGIN seems to have been added in #4714, but it doesn't seem to have changed the default behavior to be more secure.)

Default bind

According to open-webui serve --help, the default host to bind to is 0.0.0.0, which allows anyone on the internet to connect to my server.

I would suggest that localhost is a more secure default. Anybody who wants their server to be reachable via any or all network interfaces can explicitly set --host to do so.

Note: I'm not familiar with how Docker manages incomes network connections and how this change might affect Docker. If we change this default, it might be worth checking

  • that it doesn't break the Docker image by making the server unreachable from outside of Docker, and
  • that the Docker image's configuration doesn't in turn re-export the server port to 0.0.0.0, but rather also uses localhost as a secure default.

Changing the default behavior for CORS and bind is probably a breaking change, so I would suggest bumping the major version (e.g. to 0.6.0) with this change.

Originally created by @joliss on GitHub (Jan 27, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/8998 ## CORS If I understand the CORS warning below correctly, open-webui by default allows CORS requests from any origin. I might misunderstand and it actually has an additional security layer that stops misuse of this, but at first blush, this seems like something I definitely don't want, since it might allow any website that I'm opening in my browser to send CORS requests to localhost:8080 to download my chat history or run LLM requests. ``` $ open-webui serve --host localhost Loading WEBUI_SECRET_KEY from file, not provided as an environment variable. Loading WEBUI_SECRET_KEY from /Users/primary/.webui_secret_key /opt/homebrew/lib/python3.11/site-packages/open_webui /opt/homebrew/lib/python3.11/site-packages /opt/homebrew/lib/python3.11 Running migrations INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [open_webui.env] 'DEFAULT_LOCALE' loaded from the latest database entry INFO [open_webui.env] 'DEFAULT_PROMPT_SUGGESTIONS' loaded from the latest database entry WARNI [open_webui.env] WARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS. INFO [open_webui.env] Embedding model set: sentence-transformers/all-MiniLM-L6-v2 WARNI [langchain_community.utils.user_agent] USER_AGENT environment variable not set, consider setting it to identify your requests. ___ __ __ _ _ _ ___ / _ \ _ __ ___ _ __ \ \ / /__| |__ | | | |_ _| | | | | '_ \ / _ \ '_ \ \ \ /\ / / _ \ '_ \| | | || | | |_| | |_) | __/ | | | \ V V / __/ |_) | |_| || | \___/| .__/ \___|_| |_| \_/\_/ \___|_.__/ \___/|___| |_| v0.5.7 - building the best open-source AI user interface. https://github.com/open-webui/open-webui ``` I figured out that `CORS_ALLOW_ORIGIN=http://localhost open-webui serve` probably disallows CORS from non-localhost origins. (I first tried `CORS_ALLOW_ORIGIN= open-webui serve`, but it crashed.) Perhaps the UX and security could be improved by having CORS disallowed by default, and only allow it if CORS_ALLOW_ORIGIN is explicitly set. (For reference, CORS_ALLOW_ORIGIN seems to have been added in #4714, but it doesn't seem to have changed the default behavior to be more secure.) ## Default bind According to `open-webui serve --help`, the default host to bind to is `0.0.0.0`, which allows anyone on the internet to connect to my server. I would suggest that `localhost` is a more secure default. Anybody who wants their server to be reachable via any or all network interfaces can explicitly set `--host` to do so. Note: I'm not familiar with how Docker manages incomes network connections and how this change might affect Docker. If we change this default, it might be worth checking * that it doesn't break the Docker image by making the server unreachable from outside of Docker, and * that the Docker image's configuration doesn't in turn re-export the server port to `0.0.0.0`, but rather also uses `localhost` as a secure default. -------------- Changing the default behavior for CORS and bind is probably a breaking change, so I would suggest bumping the major version (e.g. to 0.6.0) with this change.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#15351
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?