From 8a80a593a80db8501c5b73308ab281f5a20525d1 Mon Sep 17 00:00:00 2001
From: Rob Hudson <robhudson@mozilla.com>
Date: Fri, 20 Dec 2024 08:54:42 -0800
Subject: [PATCH] Update CORS settings for ninja API endpoints

---
 basket/settings.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/basket/settings.py b/basket/settings.py
index 871582d0..4f536180 100644
--- a/basket/settings.py
+++ b/basket/settings.py
@@ -10,6 +10,7 @@
 import django_cache_url
 import markus
 import sentry_sdk
+from corsheaders.defaults import default_headers
 from everett.manager import ChoiceOf, ConfigManager, ConfigurationMissingError, ListOf
 from sentry_processor import DesensitizationProcessor
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -232,8 +233,9 @@ def path(*args):
 CTMS_CLIENT_ID = config("CTMS_CLIENT_ID", default="")
 CTMS_CLIENT_SECRET = config("CTMS_CLIENT_SECRET", default="")
 
-CORS_ORIGIN_ALLOW_ALL = True
-CORS_URLS_REGEX = r"^/(news/|subscribe)"
+CORS_ALLOW_ALL_ORIGINS = True
+CORS_ALLOW_HEADERS = (*default_headers, "x-api-key")
+CORS_URLS_REGEX = r"^/(api/|news/|subscribe)"
 
 # view rate limiting
 RATELIMIT_VIEW = "basket.news.views.ratelimited"