[P0] Lock down CORS, Swagger, H2 console, and security headers for production

[jjoonleo]

Problem

Security configuration permits broad public access to developer/admin surfaces and configures CORS to allow any origin with credentials.

Why this is not production ready

Open CORS with credentials increases cross-origin attack surface. Public Swagger/OpenAPI and H2 console routes can expose API details or development tooling in production. Frame options are disabled globally, increasing clickjacking risk.

Evidence

• SecurityConfig permits /h2-console/**.
• SecurityConfig permits /v3/api-docs/**, /swagger-ui/**, /swagger-resources/**, /webjars/**, and /swagger-ui.html.
• SecurityConfig.corsConfigurationSource uses addAllowedOriginPattern("*"), allows all methods/headers, and sets allowCredentials(true).
• SecurityConfig disables frame options globally.

Required work

• Introduce environment-specific security configuration.
• Disable H2 console, Swagger UI, and OpenAPI docs in production or restrict them behind admin authentication/network allowlists.
• Replace wildcard CORS with an explicit list of production frontend origins.
• Avoid allowCredentials(true) unless required; if required, tightly scope origins/headers/methods.
• Re-enable frame protections except where a local dev console explicitly requires them.

Acceptance criteria

• Production config exposes only intended public endpoints.
• CORS rejects unknown origins in production.
• Swagger/H2 are inaccessible from the public internet in production.
• Security tests cover allowed and rejected origins/routes.