a4f2047bcc
Production never sources PDFs from localhost or 127.0.0.1 — the OCR service only reads from MinIO over the internal docker network. The Python default (`minio,localhost,127.0.0.1`) was permissive on purpose for local dev, but in production a future change to that default — or a host-env override — would silently broaden the SSRF surface. Pinning the env var explicitly here freezes the allowlist to the one hostname production actually needs. `docker compose config --quiet` and `--profile staging config --quiet` both still pass. Verified the resolved config emits `ALLOWED_PDF_HOSTS: minio`. Addresses @nora's round-2 suggestion on PR #499 — "five characters of YAML, lifetime guarantee". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
7.6 KiB
7.6 KiB