remove security hotspot

src/main/java/es/in2/verifier/security/CorsConfig.java

@@ -15,13 +15,14 @@ public class CorsConfig {
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
 
-        // Allow all origins
-        configuration.setAllowedOrigins(List.of("*"));
-        // Allow all HTTP methods
+        // we need to allow all origins because the service is public and must be accessible from any domain.
+        configuration.setAllowedOriginPatterns(List.of("*"));
         configuration.setAllowedMethods(List.of("GET", "POST"));
-        // Allow all headers
         configuration.setAllowedHeaders(List.of("Content-Type"));
 
+        // We do not allow the sending of credentials to improve security
+        configuration.setAllowCredentials(false);
+
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/health", configuration);
         source.registerCorsConfiguration("/oid4vp/auth-request/**", configuration);

src/main/java/es/in2/verifier/security/SecurityConfig.java

@@ -32,8 +32,6 @@ public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws
                         .requestMatchers("/img/**").permitAll()
                         .anyRequest().authenticated()
                 )
-                //TODO Config with Sonar
-                .csrf(AbstractHttpConfigurer::disable)
                 .formLogin(AbstractHttpConfigurer::disable);
         return http.build();
     }