feat: update CORS configuration to set allow_Credentials default to false

README.md

@@ -61,6 +61,7 @@ The starter CORS configuration now supports the following configurable keys:
 
 Defaults include `If-Match` in allowed headers and `ETag` in exposed headers to support browser-based optimistic locking workflows.
 The `allowed_headers`, `exposed_headers`, and `allowed_methods` keys are optional; if omitted, built-in defaults are applied.
+The default for `allow_Credentials` is `false`. If you set `allow_Credentials=true`, do not use `"*"` for `allowed_origin`; configure explicit origins.
 
 Example override file:
 

src/main/java/ca/uhn/fhir/jpa/starter/AppProperties.java

@@ -890,7 +890,7 @@ public class AppProperties {
 		private static final List<String> DEFAULT_ALLOWED_METHODS =
 				List.of("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD");
 
-		private Boolean allow_Credentials = true;
+		private Boolean allow_Credentials = false;
 		private List<String> allowed_origin = List.of("*");
 		private List<String> allowed_headers = DEFAULT_ALLOWED_HEADERS;
 		private List<String> exposed_headers = DEFAULT_EXPOSED_HEADERS;

src/main/resources/application-cds.yaml

@@ -338,9 +338,10 @@ hapi:
     # K. CORS
     # -------------------------------------------------------------------------------
     cors:
-      allow_Credentials: true
+      # allow_Credentials: false
       allowed_origin:
         - "*"
+      # If you enable allow_Credentials=true, use explicit origins instead of "*".
       # Optional overrides. If omitted, built-in defaults are used.
       # allowed_headers:
       #   - Origin

src/main/resources/application.yaml

@@ -368,9 +368,10 @@ hapi:
     # K. CORS
     # -------------------------------------------------------------------------------
     cors:
-      allow_Credentials: true
+      # allow_Credentials: false
       allowed_origin:
         - "*"
+      # If you enable allow_Credentials=true, use explicit origins instead of "*".
       # Optional overrides. If omitted, built-in defaults are used.
       # allowed_headers:
       #   - Origin

src/test/java/ca/uhn/fhir/jpa/starter/AppPropertiesCorsDefaultsTest.java

@@ -2,6 +2,7 @@ package ca.uhn.fhir.jpa.starter;
 
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 class AppPropertiesCorsDefaultsTest {
@@ -10,6 +11,7 @@ class AppPropertiesCorsDefaultsTest {
 	void defaultCorsHeadersIncludeFhirOptimisticLockingHeaders() {
 		AppProperties.Cors cors = new AppProperties.Cors();
 
+		assertFalse(cors.getAllow_Credentials());
 		assertTrue(cors.getAllowed_headers().contains("If-Match"));
 		assertTrue(cors.getExposed_headers().contains("ETag"));
 	}