Summary
The current CORS configuration in SecurityConfig is overly permissive — it allows requests from any origin on all endpoints:
registry.addMapping("/**").allowedOrigins("*");
This was intentionally left open for local development/testing but must be restricted before going to production.
Required changes
- Scope the mapping to
/api/** instead of /**.
- Replace
allowedOrigins("*") with an explicit list of trusted frontend origins (ideally read from application properties/environment variables).
- Explicitly declare
allowedMethods (e.g., GET, POST, PUT, PATCH, DELETE, OPTIONS).
- Explicitly declare
allowedHeaders.
- Set a sensible
maxAge (e.g., 3600).
References
Reported by @jamius19
Summary
The current CORS configuration in
SecurityConfigis overly permissive — it allows requests from any origin on all endpoints:This was intentionally left open for local development/testing but must be restricted before going to production.
Required changes
/api/**instead of/**.allowedOrigins("*")with an explicit list of trusted frontend origins (ideally read from application properties/environment variables).allowedMethods(e.g., GET, POST, PUT, PATCH, DELETE, OPTIONS).allowedHeaders.maxAge(e.g., 3600).References
Reported by @jamius19