From 2ce85f064f9bcf036492d9780517c40bb7ba6bb9 Mon Sep 17 00:00:00 2001
From: Patrick Werner <pa.f.werner@gmail.com>
Date: Thu, 12 Mar 2026 20:03:50 +0100
Subject: [PATCH] feat: update CORS configuration to set allow_Credentials
 default to false

---
 README.md                                                    | 1 +
 src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java     | 2 +-
 src/main/resources/application-cds.yaml                      | 5 +++--
 src/main/resources/application.yaml                          | 3 ++-
 .../uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java  | 2 ++
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 3340854..c2650b6 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,7 @@ The starter CORS configuration now supports the following configurable keys:
 
 Defaults include `If-Match` in allowed headers and `ETag` in exposed headers to support browser-based optimistic locking workflows.
 The `allowed_headers`, `exposed_headers`, and `allowed_methods` keys are optional; if omitted, built-in defaults are applied.
+The default for `allow_Credentials` is `false`. If you set `allow_Credentials=true`, do not use `"*"` for `allowed_origin`; configure explicit origins.
 
 Example override file:
 
diff --git a/src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java b/src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java
index 00bf810..f6bf4a2 100644
--- a/src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java
+++ b/src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java
@@ -890,7 +890,7 @@ public class AppProperties {
 		private static final List<String> DEFAULT_ALLOWED_METHODS =
 				List.of("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD");
 
-		private Boolean allow_Credentials = true;
+		private Boolean allow_Credentials = false;
 		private List<String> allowed_origin = List.of("*");
 		private List<String> allowed_headers = DEFAULT_ALLOWED_HEADERS;
 		private List<String> exposed_headers = DEFAULT_EXPOSED_HEADERS;
diff --git a/src/main/resources/application-cds.yaml b/src/main/resources/application-cds.yaml
index cb2bf1b..07b691d 100644
--- a/src/main/resources/application-cds.yaml
+++ b/src/main/resources/application-cds.yaml
@@ -267,7 +267,7 @@ hapi:
     # -------------------------------------------------------------------------------
     bulk_export_enabled: false
     bulk_import_enabled: false
-	bulk_export_file_retention_period_hours: 2
+    bulk_export_file_retention_period_hours: 2
 
     # -------------------------------------------------------------------------------
     # F. Write / Delete / Integrity
@@ -338,9 +338,10 @@ hapi:
     # K. CORS
     # -------------------------------------------------------------------------------
     cors:
-      allow_Credentials: true
+      # allow_Credentials: false
       allowed_origin:
         - "*"
+      # If you enable allow_Credentials=true, use explicit origins instead of "*".
       # Optional overrides. If omitted, built-in defaults are used.
       # allowed_headers:
       #   - Origin
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 6f6909a..3e9a8d7 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -368,9 +368,10 @@ hapi:
     # K. CORS
     # -------------------------------------------------------------------------------
     cors:
-      allow_Credentials: true
+      # allow_Credentials: false
       allowed_origin:
         - "*"
+      # If you enable allow_Credentials=true, use explicit origins instead of "*".
       # Optional overrides. If omitted, built-in defaults are used.
       # allowed_headers:
       #   - Origin
diff --git a/src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java b/src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java
index 415ad37..685f049 100644
--- a/src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java
+++ b/src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java
@@ -2,6 +2,7 @@ package ca.uhn.fhir.jpa.starter;
 
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 class AppPropertiesCorsDefaultsTest {
@@ -10,6 +11,7 @@ class AppPropertiesCorsDefaultsTest {
 	void defaultCorsHeadersIncludeFhirOptimisticLockingHeaders() {
 		AppProperties.Cors cors = new AppProperties.Cors();
 
+		assertFalse(cors.getAllow_Credentials());
 		assertTrue(cors.getAllowed_headers().contains("If-Match"));
 		assertTrue(cors.getExposed_headers().contains("ETag"));
 	}