Restrict CORS configuration to same origin by default
Description
At the moment, the boilerplate defaults to allowing requests via websites from all origins. This can lead to exploits but doesn't necessarily mean they are vulnerabilities.
The default client, i.e. if include_ui is true, is hosted from the same origin meaning same-origin policy would be sufficient.
Update the boilerplate so that CORS configuration defaults to same-origin. "Application teams" should still be able to configure CORS policies if they need to.
Further details
Task list
Acceptance criteria
-
Applications created via the boilerplate with no customisation defaults to only allowing requests from websites from the same origin.