Production Security Warning - Genai Toolbox

⚠️ Production Security Warning

Secure your deployment: By default, Toolbox allows all hosts (--allowed-hosts) and all origins (--allowed-origins). While convenient for local development, this is insecure for production.

Prevent DNS Rebinding: Use the --allowed-hosts flag to specify a list of hosts for validation. Example: command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-hosts", "localhost:5000"]
Implement CORS: Use the --allowed-origins flag to specify a list of origins permitted to access the server. Example: command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-origins", "https://foo.bar"]

Note: The server issues a warning in the logs if these are set to the wildcard *.