From e87c096ee169cdd07636ba7dc132980b918df68b Mon Sep 17 00:00:00 2001
From: Karsten Hassel <hassel@gmx.de>
Date: Fri, 10 Apr 2026 23:25:53 +0200
Subject: [PATCH 1/2] fix replaceSecretPlaceholder: disable secret substitution
 only for cors=allowAll

---
 js/server_functions.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/js/server_functions.js b/js/server_functions.js
index bdc759c64e..33acac4c26 100644
--- a/js/server_functions.js
+++ b/js/server_functions.js
@@ -22,12 +22,12 @@ function getStartup (req, res) {
  * @returns {string} the input with real variable content
  */
 function replaceSecretPlaceholder (input) {
-	if (global.config.cors === "allowWhitelist") {
+	if (global.config.cors !== "allowAll") {
 		return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (match, group) => {
 			return process.env[group];
 		});
 	} else {
-		Log.error("Replacing secrets works only with CORS and `allowWhitelist`, you need to set this in `config.js`, set `cors: allowWhitelist`");
+		Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`");
 		return input;
 	}
 }

From b9af0ee9a3d955115b7da21b8d9305a9e716438d Mon Sep 17 00:00:00 2001
From: Karsten Hassel <hassel@gmx.de>
Date: Sun, 12 Apr 2026 00:38:08 +0200
Subject: [PATCH 2/2] log only if secrets includes

Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
---
 js/server_functions.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/js/server_functions.js b/js/server_functions.js
index 33acac4c26..2d55bc3b44 100644
--- a/js/server_functions.js
+++ b/js/server_functions.js
@@ -27,7 +27,9 @@ function replaceSecretPlaceholder (input) {
 			return process.env[group];
 		});
 	} else {
-		Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`");
+		if (input.includes("**SECRET_")) {
+			Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`");
+		}
 		return input;
 	}
 }