fix: 하드코딩 URL 제거 + 환경변수 전환

- App.tsx: 중복 API_BASE_URL 정의 → @common/services/api import - MapView.tsx: GeoServer localhost:8080 → VITE_GEOSERVER_URL 환경변수 - ShipInsurance.tsx: 해운조합 API URL → VITE_HAEWOON_API_URL 환경변수 - server.ts CORS: 운영 도메인 → FRONTEND_URL 환경변수 통합 - server.ts CSP: localhost 허용을 개발 환경(NODE_ENV≠production)에만 적용 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 01:36:07 +09:00 · 2026-03-01 01:36:07 +09:00 · 5e4044d461
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@ -49,7 +49,13 @@ app.use(helmet({
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "blob:"],
-      connectSrc: ["'self'", "http://localhost:*", "https://*.gc-si.dev", "https://*.data.go.kr", "https://*.khoa.go.kr"],
+      connectSrc: [
+        "'self'",
+        ...(process.env.NODE_ENV !== 'production' ? ['http://localhost:*'] : []),
+        'https://*.gc-si.dev',
+        'https://*.data.go.kr',
+        'https://*.khoa.go.kr',
+      ],
      fontSrc: ["'self'"],
      objectSrc: ["'none'"],
      frameSrc: ["'none'"],
@ -65,11 +71,12 @@ app.disable('x-powered-by')

 // 3. CORS: 허용된 출처만 접근 가능
 const allowedOrigins = [
-  'http://localhost:5173',  // Vite dev server
-  'http://localhost:5174',
-  'http://localhost:3000',
-  'https://wing-demo.gc-si.dev',
-  process.env.FRONTEND_URL, // 운영 환경 프론트엔드 URL (추가 도메인)
+  process.env.FRONTEND_URL || 'https://wing-demo.gc-si.dev',
+  ...(process.env.NODE_ENV !== 'production' ? [
+    'http://localhost:5173',
+    'http://localhost:5174',
+    'http://localhost:3000',
+  ] : []),
 ].filter(Boolean) as string[]

 app.use(cors({
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@ -6,6 +6,7 @@ import { LoginPage } from '@common/components/auth/LoginPage'
 import { registerMainTabSwitcher } from '@common/hooks/useSubMenu'
 import { useAuthStore } from '@common/store/authStore'
 import { useMenuStore } from '@common/store/menuStore'
+import { API_BASE_URL } from '@common/services/api'
 import { OilSpillView } from '@tabs/prediction'
 import { ReportsView } from '@tabs/reports'
 import { HNSView } from '@tabs/hns'
@ -46,8 +47,7 @@ function App() {
      [JSON.stringify({ action: 'TAB_VIEW', detail: activeMainTab })],
      { type: 'text/plain' }
    )
-    const apiBase = import.meta.env.VITE_API_URL || 'http://localhost:3001/api'
-    navigator.sendBeacon(`${apiBase}/audit/log`, blob)
+    navigator.sendBeacon(`${API_BASE_URL}/audit/log`, blob)
  }, [activeMainTab, isAuthenticated])

  // 세션 확인 중 스플래시
--- a/frontend/src/common/components/map/MapView.tsx
+++ b/frontend/src/common/components/map/MapView.tsx
@ -9,6 +9,8 @@ import type { BoomLine, BoomLineCoord } from '@common/types/boomLine'
 import type { ReplayShip, CollisionEvent } from '@common/types/backtrack'
 import { BacktrackReplayOverlay } from './BacktrackReplayOverlay'

+const GEOSERVER_URL = import.meta.env.VITE_GEOSERVER_URL || 'http://localhost:8080'
+
 // Fix Leaflet default icon issue
 import icon from 'leaflet/dist/images/marker-icon.png'
 import iconShadow from 'leaflet/dist/images/marker-shadow.png'
@ -190,7 +192,7 @@ export function MapView({
        {wmsLayers.map(layer => (
          <TileLayer
            key={layer.id}
-            url={`http://localhost:8080/geoserver/gwc/service/wms?service=WMS&version=1.1.0&request=GetMap&layers=${layer.wmsLayer}&styles=&bbox={bbox}&width=256&height=256&srs=EPSG:3857&format=image/png&transparent=true`}
+            url={`${GEOSERVER_URL}/geoserver/gwc/service/wms?service=WMS&version=1.1.0&request=GetMap&layers=${layer.wmsLayer}&styles=&bbox={bbox}&width=256&height=256&srs=EPSG:3857&format=image/png&transparent=true`}
            attribution='&copy; MPC GeoServer'
            opacity={layerOpacity / 100}
          />
--- a/frontend/src/tabs/assets/components/ShipInsurance.tsx
+++ b/frontend/src/tabs/assets/components/ShipInsurance.tsx
@ -1,6 +1,8 @@
 import { useState } from 'react'
 import type { InsuranceRow } from './assetTypes'

+const DEFAULT_HAEWOON_API = import.meta.env.VITE_HAEWOON_API_URL || 'https://api.haewoon.or.kr/v1/insurance'
+
 // 샘플 데이터 (외부 한국해운조합 API 연동 전 데모용)
 const INSURANCE_DEMO_DATA: InsuranceRow[] = [
  { shipName: '유조선 한라호', mmsi: '440123456', imo: '9876001', insType: 'P&I 보험', insurer: '한국P&I클럽', policyNo: 'PI-2025-1234', start: '2025-07-01', expiry: '2026-06-30', limit: '50억' },
@ -13,7 +15,7 @@ const INSURANCE_DEMO_DATA: InsuranceRow[] = [
 function ShipInsurance() {
  const [apiConnected, setApiConnected] = useState(false)
  const [showConfig, setShowConfig] = useState(false)
-  const [configEndpoint, setConfigEndpoint] = useState('https://api.haewoon.or.kr/v1/insurance')
+  const [configEndpoint, setConfigEndpoint] = useState(DEFAULT_HAEWOON_API)
  const [configApiKey, setConfigApiKey] = useState('')
  const [configKeyType, setConfigKeyType] = useState('mmsi')
  const [configRespType, setConfigRespType] = useState('json')