Provide a configuration option to control automatic option responses

By default Flask will provide responses to OPTIONS requests that are automatically generated. These responses list the valid methods in the response headers. Whilst this is useful, it can be frowned on by auditors hence an ability to disable it wholesale is useful.
2024-06-05 13:23:18 +01:00 · 2024-06-05 13:23:18 +01:00 · d718ecf6d3
commit d718ecf6d3
parent 0ce27278d2
4 changed files with 14 additions and 2 deletions
--- a/docs/config.rst
+++ b/docs/config.rst
@ -280,6 +280,12 @@ The following configuration values are used internally by Flask:
    ``4093``. Larger cookies may be silently ignored by browsers. Set to
    ``0`` to disable the warning.

+.. py:data:: PROVIDE_AUTOMATIC_OPTIONS
+
+    Set to ``False`` to disable the automatic addition of OPTIONS
+    responses. This can be overridden per route by altering the
+    ``provide_automatic_options`` attribute.
+
 .. versionadded:: 0.4
   ``LOGGER_NAME``

@ -331,6 +337,10 @@ The following configuration values are used internally by Flask:
 .. versionchanged:: 2.3
    ``ENV`` was removed.

+.. versionadded:: 3.10
+    Added :data:`PROVIDE_AUTOMATIC_OPTIONS` to control the default
+    addition of autogenerated OPTIONS responses.
+

 Configuring from Python Files
 -----------------------------