From 6030764f18d68b94a348437e364aba8feea57f24 Mon Sep 17 00:00:00 2001
From: Sandra <sandra@okaeri.cloud>
Date: Fri, 28 Jan 2022 20:24:11 +0100
Subject: [PATCH] Fix CORS config incorrectly allowing credentials

---
 .../java/eu/okaeri/timings/api/security/SecurityConfig.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/api/src/main/java/eu/okaeri/timings/api/security/SecurityConfig.java b/backend/api/src/main/java/eu/okaeri/timings/api/security/SecurityConfig.java
index 4461924..9d83afb 100644
--- a/backend/api/src/main/java/eu/okaeri/timings/api/security/SecurityConfig.java
+++ b/backend/api/src/main/java/eu/okaeri/timings/api/security/SecurityConfig.java
@@ -26,9 +26,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
     public CorsFilter corsFilter() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         CorsConfiguration config = new CorsConfiguration();
-        config.setAllowCredentials(true);
+        config.setAllowCredentials(false);
         config.setAllowedOrigins(List.of("*"));
-        config.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept", "Authorization"));
+        config.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept"));
         config.setAllowedMethods(List.of("*"));
         source.registerCorsConfiguration("/**", config);
         return new CorsFilter(source);