Skip to content

Tighten CORS configuration before production deployment #3

Description

@coderabbitai

Summary

The current CORS configuration in SecurityConfig is overly permissive — it allows requests from any origin on all endpoints:

registry.addMapping("/**").allowedOrigins("*");

This was intentionally left open for local development/testing but must be restricted before going to production.

Required changes

  • Scope the mapping to /api/** instead of /**.
  • Replace allowedOrigins("*") with an explicit list of trusted frontend origins (ideally read from application properties/environment variables).
  • Explicitly declare allowedMethods (e.g., GET, POST, PUT, PATCH, DELETE, OPTIONS).
  • Explicitly declare allowedHeaders.
  • Set a sensible maxAge (e.g., 3600).

References

Reported by @jamius19

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions