1. CORS Configuration Validation - Prevents allowCredentials(true) with ["*"] origins

2. OAuth2/SAML2 Redirect Security - Validates Referer against CORS whitelist, prevents JWT leakage
3. JWT in HttpOnly Cookies - Moved JWT from URL fragments to secure HttpOnly cookies
4. Refresh Token Infrastructure - Complete implementation with rotation and revocation
5. V2 Flag Removal - Removed from application.properties, AppConfig, and JwtService

app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java

@@ -1,14 +1,18 @@
 package stirling.software.SPDF.config;
 
+import jakarta.annotation.PostConstruct;
+
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 
 import stirling.software.common.model.ApplicationProperties;
 
+@Slf4j
 @Configuration
 @RequiredArgsConstructor
 public class WebMvcConfig implements WebMvcConfigurer {
@@ -16,6 +20,36 @@ public class WebMvcConfig implements WebMvcConfigurer {
     private final EndpointInterceptor endpointInterceptor;
     private final ApplicationProperties applicationProperties;
 
+    /**
+     * Validates CORS configuration on application startup to prevent runtime errors
+     * Spring will reject allowCredentials(true) + allowedOrigins("*") at runtime
+     * This validation provides a clear error message during startup instead
+     */
+    @PostConstruct
+    public void validateCorsConfiguration() {
+        if (applicationProperties.getSystem() != null
+                && applicationProperties.getSystem().getCorsAllowedOrigins() != null
+                && !applicationProperties.getSystem().getCorsAllowedOrigins().isEmpty()) {
+
+            var allowedOrigins = applicationProperties.getSystem().getCorsAllowedOrigins();
+
+            // Check if wildcard "*" is used with credentials
+            if (allowedOrigins.contains("*")) {
+                String errorMessage =
+                        "INVALID CORS CONFIGURATION: Cannot use allowedOrigins=[\"*\"] with allowCredentials=true.\n"
+                                + "This configuration is rejected by Spring Security at runtime.\n"
+                                + "Please specify exact origins in system.corsAllowedOrigins (e.g., [\"http://localhost:3000\", \"https://example.com\"])\n"
+                                + "or remove credentials support by modifying WebMvcConfig.";
+                log.error(errorMessage);
+                throw new IllegalStateException(errorMessage);
+            }
+
+            log.info(
+                    "CORS configuration validated successfully. Allowed origins: {}",
+                    allowedOrigins);
+        }
+    }
+
     @Override
     public void addInterceptors(InterceptorRegistry registry) {
         registry.addInterceptor(endpointInterceptor);

app/core/src/main/resources/application.properties

@@ -58,6 +58,3 @@ spring.main.allow-bean-definition-overriding=true
 
 # Set up a consistent temporary directory location
 java.io.tmpdir=${stirling.tempfiles.directory:${java.io.tmpdir}/stirling-pdf}
-
-# V2 features
-v2=true