fix: remove Access-Control-Allow-Credentials header for CORS security compliance (#22)

JeaNile · Rock-520 · commit 22773dde536c · 2025-05-20T23:30:26.000+08:00
diff --git a/backend/magic-service/app/Infrastructure/Util/Middleware/CorsMiddleware.php b/backend/magic-service/app/Infrastructure/Util/Middleware/CorsMiddleware.php
@@ -21,7 +21,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $response = Context::get(ResponseInterface::class);
         $response = $response
             ->withHeader('Access-Control-Allow-Origin', '*')
-            ->withHeader('Access-Control-Allow-Credentials', 'true')
             ->withHeader('Access-Control-Allow-Headers', 'DNT,Keep-Alive,User-Agent,Cache-Control,Content-Type,Authorization,application-code,organization-code,x-forwarded-user,token,request-id,Language,api-key')
             ->withHeader('Access-Control-Allow-Methods', '*')
             ->withHeader('Request-Id', CoContext::getOrSetRequestId());
diff --git a/backend/super-magic/app/api/middleware/options_middleware.py b/backend/super-magic/app/api/middleware/options_middleware.py
@@ -35,7 +35,6 @@ async def dispatch(self, request: Request, call_next):
             response.headers["Access-Control-Allow-Origin"] = "*"
             response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS, PATCH"
             response.headers["Access-Control-Allow-Headers"] = "*"
-            response.headers["Access-Control-Allow-Credentials"] = "true"
             response.headers["Access-Control-Max-Age"] = "3600"
             return response
 
