Skip to content

CORS allows all origins (*) with credentials #21

New issue
New issue
Open
Open
CORS allows all origins (*) with credentials#21
Labels
enhancementNew feature or request
@RonaldRonnie

Description

@RonaldRonnie
RonaldRonnie
opened on Mar 17, 2026

Description:

SecurityConfig and UserController allow all origins:

  • CorsConfiguration uses setAllowedOriginPatterns(Arrays.asList("*")) with setAllowCredentials(true). This combination is insecure and can lead to credential leakage.
  • UserController has @CrossOrigin(origins = "*"), which is redundant and overly permissive.

CORS should restrict origins to known frontends (e.g. from config/env).

Acceptance criteria:

  • CORS allowed origins come from configuration (e.g. CORS_ALLOWED_ORIGINS in env) and are not * when credentials are allowed
  • Remove @CrossOrigin(origins = "*") from controllers; rely on global CORS config only

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions