Skip to content

Tighten CORS/WebSocket origins and unify config across profiles #37

New issue
New issue
Open
Open
Tighten CORS/WebSocket origins and unify config across profiles#37
Assignees
sugan0tech
Labels
configurationconfigurationcorscorssecuritysecuritywebsocketwebsocket
@sugan0tech

Description

@sugan0tech
sugan0tech
opened on Aug 18, 2025
  • Description: CORS origins differ in multiple places and WS allows *. Centralize and restrict via properties.
  • Current state: CorsConfig allows http://localhost:5173; SecurityConfig CORS also 5173; application*.properties has spring.websocket.allowed-origins=http://localhost:3000; WebSocketConfig uses *.
  • Tasks:
    • Introduce properties: app.cors.allowed-origins, app.ws.allowed-origins for all profiles.
    • Wire CorsConfigurationSource and WebSocketConfig to read properties.
    • In prod, restrict to explicit origins; in dev, allow localhost ports as needed.
  • Acceptance criteria:
    • Single source of truth for allowed origins; WS and HTTP use the same set.
    • No wildcard origins in prod.
  • References: CorsConfig.java, SecurityConfig.java, WebSocketConfig.java, application*.properties.

Metadata

Metadata

Assignees

Labels

configurationconfigurationcorscorssecuritysecuritywebsocketwebsocket

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions