DevKor-github · jjoonleo · May 10, 2026 · May 10, 2026
diff --git a/ontime-back/src/main/java/devkor/ontime_back/config/SecurityConfig.java b/ontime-back/src/main/java/devkor/ontime_back/config/SecurityConfig.java
@@ -72,7 +72,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .headers(headers -> headers
                         .frameOptions(frameOptions -> frameOptions.disable()))
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/", "/account-deletion", "/css/**", "/images/**", "/js/**", "/favicon.ico", "/h2-console/**").permitAll()
+                        .requestMatchers("/", "/account-deletion", "/privacy-policy", "/css/**", "/images/**", "/js/**", "/favicon.ico", "/h2-console/**").permitAll()
                         .requestMatchers("/health", "/actuator/health/**", "/oauth2/sign-up", "oauth2/success", "login/success", "/oauth2/google/login", "/oauth2/kakao/login", "/oauth2/apple/login", "/sign-up", "/*/additional-info").permitAll()
                         .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-resources/**", "/webjars/**", "/swagger-ui.html").permitAll()
                         .requestMatchers("/error").permitAll()

diff --git a/ontime-back/src/main/java/devkor/ontime_back/controller/AccountDeletionPageController.java b/ontime-back/src/main/java/devkor/ontime_back/controller/AccountDeletionPageController.java
@@ -133,8 +133,9 @@ public ResponseEntity<String> getAccountDeletionPage() {
 
                               <h2>Privacy Policy</h2>
                               <p>
-                                Once the public OnTime privacy policy is hosted, it should be linked from this page and listed in
-                                Google Play Console together with this account deletion request URL.
+                                The public OnTime privacy policy is available at
+                                <a href="https://ontime-back.duckdns.org/privacy-policy">https://ontime-back.duckdns.org/privacy-policy</a>.
+                                It can be listed in Google Play Console together with this account deletion request URL.
                               </p>
                             </section>
                           </main>

diff --git a/ontime-back/src/main/java/devkor/ontime_back/controller/PrivacyPolicyController.java b/ontime-back/src/main/java/devkor/ontime_back/controller/PrivacyPolicyController.java
diff --git a/ontime-back/src/main/java/devkor/ontime_back/global/jwt/JwtAuthenticationFilter.java b/ontime-back/src/main/java/devkor/ontime_back/global/jwt/JwtAuthenticationFilter.java
@@ -32,7 +32,7 @@
 @Slf4j
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
-    private static final List<String> NO_CHECK_URLS = List.of("/login", "/health", "/actuator/health", "/swagger-ui", "/sign-up", "/account-deletion", "/v3/api-docs", "/oauth2/google/login", "/oauth2/kakao/login", "/oauth2/apple/login");
+    private static final List<String> NO_CHECK_URLS = List.of("/login", "/health", "/actuator/health", "/swagger-ui", "/sign-up", "/account-deletion", "/privacy-policy", "/v3/api-docs", "/oauth2/google/login", "/oauth2/kakao/login", "/oauth2/apple/login");
 
     private final JwtTokenProvider jwtTokenProvider;
     private final UserRepository userRepository;

diff --git a/ontime-back/src/test/java/devkor/ontime_back/ControllerTestSupport.java b/ontime-back/src/test/java/devkor/ontime_back/ControllerTestSupport.java
@@ -26,7 +26,8 @@
                 FirebaseTokenController.class,
                 AlarmController.class,
                 SocialAuthController.class,
-                AccountDeletionPageController.class
+                AccountDeletionPageController.class,
+                PrivacyPolicyController.class
         }
 )
 public abstract class ControllerTestSupport {

diff --git a/...e-back/src/test/java/devkor/ontime_back/controller/AccountDeletionPageControllerTest.java b/...e-back/src/test/java/devkor/ontime_back/controller/AccountDeletionPageControllerTest.java
@@ -31,6 +31,6 @@ void getAccountDeletionPage() throws Exception {
                 .andExpect(content().string(containsString("retain that feedback for up to")))
                 .andExpect(content().string(containsString("Operational logs, monitoring records, and security records may be retained for up to 90 days")))
                 .andExpect(content().string(containsString("retained for no longer than 30 days")))
-                .andExpect(content().string(containsString("privacy policy")));
+                .andExpect(content().string(containsString("https://ontime-back.duckdns.org/privacy-policy")));
     }
 }
diff --git a/ontime-back/src/test/java/devkor/ontime_back/controller/PrivacyPolicyControllerTest.java b/ontime-back/src/test/java/devkor/ontime_back/controller/PrivacyPolicyControllerTest.java
@@ -0,0 +1,42 @@
+package devkor.ontime_back.controller;
+
+import devkor.ontime_back.ControllerTestSupport;
+import devkor.ontime_back.TestSecurityConfig;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.context.annotation.Import;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Import(TestSecurityConfig.class)
+class PrivacyPolicyControllerTest extends ControllerTestSupport {
+
+    @DisplayName("개인정보 처리방침 페이지를 로그인 없이 HTML로 조회한다.")
+    @Test
+    void getPrivacyPolicy() throws Exception {
+        mockMvc.perform(get("/privacy-policy"))
+                .andExpect(status().isOk())
+                .andExpect(header().string("Cache-Control", containsString("max-age=3600")))
+                .andExpect(content().contentTypeCompatibleWith("text/html"))
+                .andExpect(content().string(containsString("OnTime Privacy Policy")))
+                .andExpect(content().string(containsString("App name: OnTime")))
+                .andExpect(content().string(containsString("Developer/entity: ejun")))
+                .andExpect(content().string(containsString("jjoonleo@gmail.com")))
+                .andExpect(content().string(containsString("Effective date: May 10, 2026")))
+                .andExpect(content().string(containsString("https://ontime-back.duckdns.org/account-deletion")))
+                .andExpect(content().string(containsString("Account data")))
+                .andExpect(content().string(containsString("Schedule/preparation data")))
+                .andExpect(content().string(containsString("Alarm/notification data")))
+                .andExpect(content().string(containsString("Feedback")))
+                .andExpect(content().string(containsString("Local app data")))
+                .andExpect(content().string(containsString("Technical/diagnostic data")))
+                .andExpect(content().string(containsString("account data and user-owned app data are deleted")))
+                .andExpect(content().string(containsString("for up to 1 year")))
+                .andExpect(content().string(containsString("for up to 90")))
+                .andExpect(content().string(containsString("retained for no longer than 30 days")));
+    }
+}
diff --git a/ontime-back/src/test/java/devkor/ontime_back/global/jwt/JwtAuthenticationFilterTest.java b/ontime-back/src/test/java/devkor/ontime_back/global/jwt/JwtAuthenticationFilterTest.java
@@ -3,7 +3,8 @@
 import devkor.ontime_back.repository.UserRepository;
 import jakarta.servlet.FilterChain;
 import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
@@ -13,14 +14,15 @@
 
 class JwtAuthenticationFilterTest {
 
-    @DisplayName("계정 삭제 요청 페이지는 액세스 토큰 없이 JWT 필터를 통과한다.")
-    @Test
-    void skipsAccountDeletionPage() throws Exception {
+    @DisplayName("공개 HTML 페이지는 액세스 토큰 없이 JWT 필터를 통과한다.")
+    @ParameterizedTest
+    @ValueSource(strings = {"/account-deletion", "/privacy-policy"})
+    void skipsPublicHtmlPages(String path) throws Exception {
         JwtTokenProvider jwtTokenProvider = mock(JwtTokenProvider.class);
         UserRepository userRepository = mock(UserRepository.class);
         FilterChain filterChain = mock(FilterChain.class);
         JwtAuthenticationFilter filter = new JwtAuthenticationFilter(jwtTokenProvider, userRepository);
-        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/account-deletion");
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", path);
         MockHttpServletResponse response = new MockHttpServletResponse();
 
         filter.doFilter(request, response, filterChain);