CORS Configuration

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which domains are allowed to access your backend APIs.

In Spring Boot, CORS configuration becomes essential when your frontend and backend run on different origins.

What is CORS?

CORS is a browser security feature that restricts web pages from making requests to a different origin than the one that served the page.

An origin is defined by:

• Protocol (http / https)
• Domain
• Port

Example:

• Frontend: http://localhost:3000 (React / Angular)
• Backend: http://localhost:8080 (Spring Boot)

👉 These are different origins, so the browser blocks requests unless CORS is configured.

Why CORS is Needed in Spring Boot

Without proper CORS configuration:

• Browser blocks API calls
• You get CORS policy error
• Frontend cannot communicate with backend

Required for:

• SPA apps (React, Angular, Vue)
• Mobile apps calling APIs
• Microservices
• Public REST APIs

Common CORS Errors

• Blocked by CORS policy
• No 'Access-Control-Allow-Origin' header
• Preflight request failed

These errors occur when CORS rules are missing or misconfigured.

CORS Request Flow (Simple Diagram)

Frontend(Browser)
        |
        |  HTTP Request
        v
BackendAPI(SpringBoot)
        |
        |  CORS Check
        v
Allowed?──YES→Responsesent
└─NO→Browserblocksrequest

Types of CORS Requests

CORS (Cross-Origin Resource Sharing) is a browser security feature that controls which websites can access your backend APIs. Understanding CORS is essential for avoiding errors and configuring your Spring Boot applications correctly.

1. Simple CORS Requests

A Simple Request is the easiest type of cross-origin request. It does not trigger a preflight (OPTIONS) request.

Conditions for a Simple Request

1. Allowed HTTP Methods
   • GET
   • POST
   • HEAD
2. Allowed Headers
   • Accept
   • Accept-Language
   • Content-Language
   • Content-Type (only these: application/x-www-form-urlencoded, multipart/form-data, text/plain)
3. Allowed Content-Type
   • application/x-www-form-urlencoded
   • multipart/form-data
   • text/plain

How It Works

Browser → Direct API Request → Spring Boot API → Responsewith CORS headers → Browser

Example: Simple GET Request

GET /api/users
Origin: <http://localhost:3000>

• Browser sends the request directly
• No OPTIONS request
• Server must include Access-Control-Allow-Origin

Spring Boot Example

@CrossOrigin(origins = "<http://localhost:3000>")
@GetMapping("/users")
public List<User>getUsers() {
return userService.getAllUsers();
}

2. Preflight CORS Requests

A Preflight Request is triggered when the browser needs to check permissions before sending the actual request.

When Preflight Happens

• Using HTTP methods other than GET/POST/HEAD (e.g., PUT, DELETE, PATCH)
• Sending custom headers like Authorization or X-Custom-Header
• Sending Content-Type as application/json
• Sending cookies or credentials

Flow of Preflight Request

Browser →OPTIONS Request (Preflight) → Spring Boot API →Access-Control-Allow-* headers → Browser → Actual API Request → Spring Boot API

Example: Preflight OPTIONS Request

OPTIONS /api/users
Origin: <http://localhost:3000>
Access-Control-Request-Method: PUT
Access-Control-Request-Headers:Authorization

Spring Boot Configuration for Preflight

registry.addMapping("/**")
        .allowedOrigins("<http://localhost:3000>")
        .allowedMethods("GET","POST","PUT","DELETE","OPTIONS")
        .allowedHeaders("*");

3. Credentialed CORS Requests

Credentialed Requests include cookies, sessions, or authorization tokens.

Examples

• JWT token in Authorization header
• Cookies / Session ID

Rules for Credentialed Requests

• allowedOrigins("*") cannot be used
• Must specify exact origin
• Must enable credentials explicitly

Flow

Browser (with cookies/token) → CORS Requestwith Credentials → Spring Boot API →Access-Control-Allow-Credentials:true → Browser

Spring Boot Example

registry.addMapping("/**")
        .allowedOrigins("<http://localhost:3000>")
        .allowedMethods("*")
        .allowedHeaders("*")
        .allowCredentials(true);

4. Non-Simple (Complex) CORS Requests

Non-Simple Requests are complex requests that trigger a preflight.

When Requests Are Non-Simple

• Using custom headers
• Sending JSON payloads
• Using HTTP methods like PUT, DELETE, PATCH

Example

• POST with application/json
• PUT with Authorization header
• DELETE request

Essentially, Non-Simple Requests = Preflight Request + Actual Request

Ways to Configure CORS in Spring Boot

CORS (Cross-Origin Resource Sharing) allows your frontend applications to access backend APIs safely. In Spring Boot, there are multiple ways to configure CORS depending on your project size and requirements.

1. @CrossOrigin (Controller or Method Level)

This approach is best for small projects or specific APIs.

@CrossOrigin(origins = "<http://localhost:3000>")
@RestController
@RequestMapping("/api/users")
publicclassUserController {

@GetMapping
public List<User>getUsers() {
return userService.getAllUsers();
    }
}

Features:

• Simple and easy to use
• Applied only to specific controllers or methods
• Not ideal for large or enterprise applications

2. Global CORS Configuration

For REST APIs and production applications, a centralized CORS setup is recommended.

@Configuration
publicclassCorsConfigimplementsWebMvcConfigurer {

@Override
publicvoidaddCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("<http://localhost:3000>")
                .allowedMethods("GET","POST","PUT","DELETE","OPTIONS")
                .allowedHeaders("*")
                .allowCredentials(true);
    }
}

Benefits:

• Centralized configuration
• Applies to all controllers
• Clean and maintainable

3. CORS with Spring Security

If your application uses Spring Security, you must configure CORS inside the security setup, otherwise requests may still fail.

Security Configuration Example

@Bean
public SecurityFilterChainsecurityFilterChain(HttpSecurity http)throws Exception {
    http
        .cors()
        .and()
        .csrf().disable()
        .authorizeHttpRequests()
        .anyRequest().authenticated();

return http.build();
}

CorsConfigurationSource Example

@Bean
public CorsConfigurationSourcecorsConfigurationSource() {
CorsConfigurationconfig=newCorsConfiguration();
    config.setAllowedOrigins(List.of("<http://localhost:3000>"));
    config.setAllowedMethods(List.of("GET","POST","PUT","DELETE"));
    config.setAllowedHeaders(List.of("*"));
    config.setAllowCredentials(true);

UrlBasedCorsConfigurationSourcesource=newUrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);
return source;
}

Best Practices for CORS Configuration

• Allow only trusted origins
• Avoid allowedOrigins("*") in production
• Enable OPTIONS method
• Configure CORS before security filters
• Use global configuration for large apps

CORS Configuration Comparison Methods

Conclusion

CORS configuration in Spring Boot is mandatory when your frontend and backend are on different origins.

• Prevents browser blocking
• Enables smooth frontend-backend communication
• Essential for modern REST APIs