chore: allow local frontend origins for CORS#99
Merged
tlarbals824 merged 1 commit intodevelopfrom May 5, 2026
Merged
Conversation
Permit the current production API to serve browser requests from local frontend dev origins while consolidating local-only Spring settings under the local profile. Keep the openapi profile intact for generated-client extraction.\n\nConstraint: The team has no separate development API server, so local Next.js testing needs to reach the deployed API.\nRejected: Wildcard CORS origins | unsafe with credentials enabled.\nConfidence: high\nScope-risk: moderate\nDirective: Remove localhost origins once a dedicated development API or BFF/proxy flow is available.\nTested: ./gradlew test --no-daemon; git diff --check\nNot-tested: Deployed CORS preflight after merge
tlarbals824
force-pushed
the
chore/allow-localhost-cors-prod
branch
from
83e171c to
14dcbad
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
문제
현재 별도 개발 API 서버가 없어 로컬 Next.js 프론트에서 운영 API(
https://api.vs.io.kr)를 직접 호출해 테스트해야 하는 상황입니다.기존 production CORS 기본값은 운영 프론트 도메인만 허용했습니다.
그래서 로컬 프론트 개발 환경의 preflight 요청은 차단됩니다.
수정 내용
1. production CORS 기본 허용 origin에 로컬 프론트 origin 추가
wildcard(
*)는 사용하지 않고, 필요한 로컬 origin만 명시적으로 추가했습니다.APP_CORS_ALLOWED_ORIGINS를 명시하면 기존처럼 환경변수 값이 우선됩니다.2.
dev프로필을local프로필로 정리application-dev.yml을application-local.yml로 변경했습니다.3. test 전용 프로필 추가
src/test/resources/application-test.yml을 추가하고, context load 테스트는@ActiveProfiles("test")를 사용하도록 분리했습니다.4.
openapi프로필은 유지API 클라이언트 생성에서 사용하는
application-openapi.yaml은 그대로 유지했습니다.주의
allow-credentials=true상태에서 운영 API가 localhost origin을 신뢰하게 되므로, 이 설정은 개발 API 서버나 프론트 BFF/proxy 흐름이 생기면 제거하는 것을 권장합니다.검증
./gradlew test --no-daemongit diff --check