-
Notifications
You must be signed in to change notification settings - Fork 1
[feat] CORS 구현 완료 #91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,6 +13,11 @@ | |
| import org.springframework.security.crypto.password.PasswordEncoder; | ||
| import org.springframework.security.web.SecurityFilterChain; | ||
| import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; | ||
| import org.springframework.web.cors.CorsConfiguration; | ||
| import org.springframework.web.cors.CorsConfigurationSource; | ||
| import org.springframework.web.cors.UrlBasedCorsConfigurationSource; | ||
|
|
||
| import java.util.Arrays; | ||
|
|
||
| @Configuration | ||
| @RequiredArgsConstructor | ||
|
|
@@ -30,6 +35,7 @@ public PasswordEncoder passwordEncoder() { | |
| public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { | ||
| http | ||
| .csrf(csrf -> csrf.disable()) | ||
| .cors(cors -> cors.configurationSource(corsConfigurationSource())) | ||
| .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .authorizeHttpRequests(auth -> auth | ||
| .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll() | ||
|
|
@@ -43,12 +49,26 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti | |
| "/v3/api-docs/**", | ||
| "/", | ||
| "/index", | ||
| "/index.html" | ||
| "/index.html", | ||
| "/admin/**" | ||
| ).permitAll() | ||
| .anyRequest().authenticated() | ||
| ) | ||
| .addFilterBefore(new JwtAuthenticationFilter(jwtProvider), UsernamePasswordAuthenticationFilter.class); | ||
|
|
||
| return http.build(); | ||
| } | ||
|
|
||
| @Bean | ||
| public CorsConfigurationSource corsConfigurationSource() { | ||
| CorsConfiguration configuration = new CorsConfiguration(); | ||
| configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용 | ||
| configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드 | ||
| configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용 | ||
| configuration.setAllowCredentials(true); // 쿠키, 인증 정보 허용 | ||
|
|
||
| UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); | ||
| source.registerCorsConfiguration("/**", configuration); // 모든 경로에 적용 | ||
| return source; | ||
| } | ||
|
Comment on lines
+62
to
+73
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 과도하게 허용적인 CORS 설정 - 중대한 보안 위험 현재 CORS 설정이 매우 관대하여 보안 위험을 초래할 수 있습니다:
다음과 같이 더 제한적인 설정으로 변경하는 것을 권장합니다: - configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용
+ configuration.setAllowedOriginPatterns(Arrays.asList("http://localhost:3000", "https://yourdomain.com")); // 특정 오리진만 허용
- configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드
+ configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 필요한 메서드만 허용
- configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용
+ configuration.setAllowedHeaders(Arrays.asList("Authorization", "Content-Type", "X-Requested-With")); // 필요한 헤더만 허용또는 환경별로 다른 설정을 사용하도록 프로파일을 구성하세요. 🤖 Prompt for AI Agents |
||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
관리자 경로에 대한 인증 없는 접근 허용 - 보안 위험
"/admin/**" 경로를 permitAll()에 추가하면 관리자 기능에 인증 없이 접근할 수 있게 됩니다. 이는 심각한 보안 위험을 초래할 수 있습니다.
관리자 경로는 적절한 인증과 권한 검증이 필요합니다.
다음과 같이 수정하는 것을 권장합니다:
- "/admin/**"그리고 관리자 경로에 대한 별도의 보안 설정을 추가하세요:
🤖 Prompt for AI Agents
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
다음에 할게용
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KiSeungMin 알겠습니다! 보안 이슈이니 나중에 놓치지 않도록 GitHub 이슈로 등록해드릴까요? 관리자 경로 보안 강화에 대한 follow-up 작업으로 추적하면 좋을 것 같습니다.
필요하시면 말씀해 주세요! 🙂