You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: CORS origins differ in multiple places and WS allows *. Centralize and restrict via properties.
Current state: CorsConfig allows http://localhost:5173; SecurityConfig CORS also 5173; application*.properties has spring.websocket.allowed-origins=http://localhost:3000; WebSocketConfig uses *.
Tasks:
Introduce properties: app.cors.allowed-origins, app.ws.allowed-origins for all profiles.
Wire CorsConfigurationSource and WebSocketConfig to read properties.
In prod, restrict to explicit origins; in dev, allow localhost ports as needed.
Acceptance criteria:
Single source of truth for allowed origins; WS and HTTP use the same set.
*. Centralize and restrict via properties.CorsConfigallowshttp://localhost:5173;SecurityConfigCORS also5173;application*.propertieshasspring.websocket.allowed-origins=http://localhost:3000;WebSocketConfiguses*.app.cors.allowed-origins,app.ws.allowed-originsfor all profiles.CorsConfigurationSourceandWebSocketConfigto read properties.CorsConfig.java,SecurityConfig.java,WebSocketConfig.java,application*.properties.