LCORE-973: CORS configuration

Author: tisnik

src/models/config.py

@@ -38,9 +38,16 @@ class ConfigurationBase(BaseModel):
 class TLSConfiguration(ConfigurationBase):
     """TLS configuration.
 
+    Transport Layer Security (TLS) is a cryptographic protocol designed to
+    provide communications security over a computer network, such as the
+    Internet. The protocol is widely used in applications such as email,
+    instant messaging, and voice over IP, but its use in securing HTTPS remains
+    the most publicly visible.
+
     See also:
-    - https://fastapi.tiangolo.com/deployment/https/
-    - https://en.wikipedia.org/wiki/Transport_Layer_Security
+      - [FastAPI HTTPS Deployment](https://fastapi.tiangolo.com/deployment/https/)
+      - [Transport Layer Security Overview](https://en.wikipedia.org/wiki/Transport_Layer_Security)
+      - [What is TLS](https://www.ssltrust.eu/learning/ssl/transport-layer-security-tls)
     """
 
     tls_certificate_path: Optional[FilePath] = Field(
@@ -68,14 +75,49 @@ def check_tls_configuration(self) -> Self:
 
 
 class CORSConfiguration(ConfigurationBase):
-    """CORS configuration."""
+    """CORS configuration.
+
+    CORS or 'Cross-Origin Resource Sharing' refers to the situations when a
+    frontend running in a browser has JavaScript code that communicates with a
+    backend, and the backend is in a different 'origin' than the frontend.
+
+    See also:
+      - [CORS in FastAPI](https://fastapi.tiangolo.com/tutorial/cors/)
+      - [Wikipedia article](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
+      - [What is CORS?](https://dev.to/akshay_chauhan/what-is-cors-explained-8f1)
+    """
+
+    # not AnyHttpUrl: we need to support "*" that is not valid URL
+    allow_origins: list[str] = Field(
+        ["*"],
+        title="Allow origins",
+        description="An origin is the combination of protocol (http, https), "
+        "domain (myapp.com, localhost, localhost.tiangolo.com), and port (80, "
+        "443, 8080).",
+    )
 
-    allow_origins: list[str] = [
-        "*"
-    ]  # not AnyHttpUrl: we need to support "*" that is not valid URL
-    allow_credentials: bool = False
-    allow_methods: list[str] = ["*"]
-    allow_headers: list[str] = ["*"]
+    allow_credentials: bool = Field(
+        False,
+        title="Allow credentials",
+        description="Indicate that cookies should be supported for cross-origin requests",
+    )
+
+    allow_methods: list[str] = Field(
+        ["*"],
+        title="Allow methods",
+        description="A list of HTTP methods that should be allowed for "
+        "cross-origin requests. You can use ['*'] to allow "
+        "all standard methods.",
+    )
+
+    allow_headers: list[str] = Field(
+        ["*"],
+        title="Allow headers",
+        description="A list of HTTP request headers that should be supported "
+        "for cross-origin requests. You can use ['*'] to allow all headers. The "
+        "Accept, Accept-Language, Content-Language and Content-Type headers are "
+        "always allowed for simple CORS requests.",
+    )
 
     @model_validator(mode="after")
     def check_cors_configuration(self) -> Self:
@@ -183,7 +225,14 @@ class ServiceConfiguration(ConfigurationBase):
             tls_certificate_path=None, tls_key_path=None, tls_key_password=None
         )
     )
-    cors: CORSConfiguration = Field(default_factory=CORSConfiguration)
+    cors: CORSConfiguration = Field(
+        default_factory=lambda: CORSConfiguration(
+            allow_origins=["*"],
+            allow_credentials=False,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
+    )
 
     @model_validator(mode="after")
     def check_service_configuration(self) -> Self: