Provide a configuration option to control automatic option responses

By default Flask will provide responses to OPTIONS requests that are automatically generated. These responses list the valid methods in the response headers. Whilst this is useful, it can be frowned on by auditors hence an ability to disable it wholesale is useful.
2024-06-05 13:23:18 +01:00 · 2024-06-05 13:23:18 +01:00 · d718ecf6d3
commit d718ecf6d3
parent 0ce27278d2
4 changed files with 14 additions and 2 deletions
--- a/src/flask/app.py
+++ b/src/flask/app.py
@ -198,6 +198,7 @@ class Flask(App):
            "PREFERRED_URL_SCHEME": "http",
            "TEMPLATES_AUTO_RELOAD": None,
            "MAX_COOKIE_SIZE": 4093,
+            "PROVIDE_AUTOMATIC_OPTIONS": True,
        }
    )

--- a/src/flask/sansio/app.py
+++ b/src/flask/sansio/app.py
@ -638,7 +638,7 @@ class App(Scaffold):
            )

        if provide_automatic_options is None:
-            if "OPTIONS" not in methods:
+            if "OPTIONS" not in methods and self.config["PROVIDE_AUTOMATIC_OPTIONS"]:
                provide_automatic_options = True
                required_methods.add("OPTIONS")
            else: