From 95bf8c4c0a53448fca70445d058bfacb00ce8c33 Mon Sep 17 00:00:00 2001
From: tristan <tristan@yuno.malio.fr>
Date: Wed, 24 Jun 2026 10:49:04 +0200
Subject: [PATCH] =?UTF-8?q?fix(audit)=20:=20autorise=20l'en-t=C3=AAte=20X-?=
 =?UTF-8?q?Device-Id=20en=20CORS=20(d=C3=A9bloque=20le=20front)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Le front envoie X-Device-Id sur toutes les requêtes (cross-origin :3001 -> :8081).
Sans l'ajouter à allow_headers, le préflight CORS échoue et le navigateur bloque
toutes les requêtes API. Vérifié : préflight OPTIONS passe de 400 à 200.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 config/packages/nelmio_cors.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/packages/nelmio_cors.yaml b/config/packages/nelmio_cors.yaml
index 2717d60..a95a715 100644
--- a/config/packages/nelmio_cors.yaml
+++ b/config/packages/nelmio_cors.yaml
@@ -3,7 +3,7 @@ nelmio_cors:
         origin_regex: true
         allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
         allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
-        allow_headers: ['Content-Type', 'Authorization']
+        allow_headers: ['Content-Type', 'Authorization', 'X-Device-Id']
         allow_credentials: true
         expose_headers: ['Link', 'Content-Disposition']
         max_age: 3600