Personal-Twin/hapi-fhir-jpaserver-starter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: update CORS configuration to set allow_Credentials default to false

Browse Source
This commit is contained in:
Patrick Werner
2026-03-12 20:03:50 +01:00
parent 8069b7019a
commit 2ce85f064f
5 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -61,6 +61,7 @@ The starter CORS configuration now supports the following configurable keys:
Defaults include `If-Match` in allowed headers and `ETag` in exposed headers to support browser-based optimistic locking workflows.
The `allowed_headers`, `exposed_headers`, and `allowed_methods` keys are optional; if omitted, built-in defaults are applied.
The default for `allow_Credentials` is `false`. If you set `allow_Credentials=true`, do not use `"*"` for `allowed_origin`; configure explicit origins.
Example override file:

2
src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java
View File

@@ -890,7 +890,7 @@ public class AppProperties {
private static final List<String> DEFAULT_ALLOWED_METHODS =
List.of("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD");
private Boolean allow_Credentials = true;
private Boolean allow_Credentials = false;
private List<String> allowed_origin = List.of("*");
private List<String> allowed_headers = DEFAULT_ALLOWED_HEADERS;
private List<String> exposed_headers = DEFAULT_EXPOSED_HEADERS;

5
src/main/resources/application-cds.yaml
View File

@@ -267,7 +267,7 @@ hapi:
# -------------------------------------------------------------------------------
bulk_export_enabled: false
bulk_import_enabled: false
bulk_export_file_retention_period_hours: 2
bulk_export_file_retention_period_hours: 2
# -------------------------------------------------------------------------------
# F. Write / Delete / Integrity
@@ -338,9 +338,10 @@ hapi:
# K. CORS
# -------------------------------------------------------------------------------
cors:
allow_Credentials: true
# allow_Credentials: false
allowed_origin:
- "*"
# If you enable allow_Credentials=true, use explicit origins instead of "*".
# Optional overrides. If omitted, built-in defaults are used.
# allowed_headers:
# - Origin

3
src/main/resources/application.yaml
View File

@@ -368,9 +368,10 @@ hapi:
# K. CORS
# -------------------------------------------------------------------------------
cors:
allow_Credentials: true
# allow_Credentials: false
allowed_origin:
- "*"
# If you enable allow_Credentials=true, use explicit origins instead of "*".
# Optional overrides. If omitted, built-in defaults are used.
# allowed_headers:
# - Origin

2
src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java
View File

@@ -2,6 +2,7 @@ package ca.uhn.fhir.jpa.starter;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
class AppPropertiesCorsDefaultsTest {
@@ -10,6 +11,7 @@ class AppPropertiesCorsDefaultsTest {
void defaultCorsHeadersIncludeFhirOptimisticLockingHeaders() {
AppProperties.Cors cors = new AppProperties.Cors();
assertFalse(cors.getAllow_Credentials());
assertTrue(cors.getAllowed_headers().contains("If-Match"));
assertTrue(cors.getExposed_headers().contains("ETag"));
}