1. CORS Configuration Validation - Prevents allowCredentials(true) with ["*"] origins

2. OAuth2/SAML2 Redirect Security - Validates Referer against CORS whitelist, prevents JWT leakage
3. JWT in HttpOnly Cookies - Moved JWT from URL fragments to secure HttpOnly cookies
4. Refresh Token Infrastructure - Complete implementation with rotation and revocation
5. V2 Flag Removal - Removed from application.properties, AppConfig, and JwtService

app/common/src/main/java/stirling/software/common/configuration/AppConfig.java

@@ -49,14 +49,6 @@ public class AppConfig {
     @Value("${server.port:8080}")
     private String serverPort;
 
-    @Value("${v2}")
-    public boolean v2Enabled;
-
-    @Bean
-    public boolean v2Enabled() {
-        return v2Enabled;
-    }
-
     /* Commented out Thymeleaf template engine bean - to be removed when frontend migration is complete
     @Bean
     @ConditionalOnProperty(name = "system.customHTMLFiles", havingValue = "true")