{"id":3724,"date":"2025-12-18T10:00:02","date_gmt":"2025-12-18T15:00:02","guid":{"rendered":"https:\/\/www.mymiller.name\/wordpress\/?p=3724"},"modified":"2025-12-18T10:00:02","modified_gmt":"2025-12-18T15:00:02","slug":"spring-cors-configuration-a-comprehensive-guide","status":"publish","type":"post","link":"https:\/\/www.mymiller.name\/wordpress\/spng_security\/spring-cors-configuration-a-comprehensive-guide\/","title":{"rendered":"Spring CORS Configuration: A Comprehensive Guide"},"content":{"rendered":"\n

Cross-Origin Resource Sharing (CORS) is a security mechanism that browsers implement to restrict web pages from making requests to a different domain than the one that served the web page. This article provides a comprehensive guide to CORS configuration in Spring, covering both enabling and disabling CORS, along with the rationale and how-to for each.<\/p>\n

Understanding CORS<\/h3>\n

Before diving into Spring configuration, it\u2019s crucial to grasp the concept of CORS. Imagine your frontend application running on http:\/\/localhost:4200<\/code> needs to fetch data from your backend API at http:\/\/localhost:8080<\/code>. Due to the different origins (domain, protocol, or port), this request is considered cross-origin. Browsers, by default, block such requests unless the server explicitly permits them through CORS headers.<\/p>\n

Enabling CORS in Spring<\/h3>\n

Reasons to Enable CORS:<\/strong><\/p>\n

    \n
  • Modern web development:<\/strong> Single Page Applications (SPAs) and frontend frameworks often reside on different domains than backend APIs, necessitating CORS.<\/li>\n
  • Third-party integrations:<\/strong> Allowing controlled access from specific origins enables integration with external services.<\/li>\n
  • API accessibility:<\/strong> Public APIs rely on CORS to grant access to various consumers.<\/li>\n<\/ul>\n

    How to Enable CORS in Spring:<\/strong><\/p>\n

    Spring offers multiple ways to configure CORS:<\/p>\n

      \n
    1. \n

      @CrossOrigin<\/code> annotation:<\/strong> This annotation can be applied at the class or method level in your @Controller<\/code> to enable CORS for specific endpoints.<\/p>\n

      @CrossOrigin(origins = "http:\/\/localhost:4200")\n@RestController\npublic class MyController {\n    \/\/ ...\n}\n<\/code><\/pre>\n<\/li>\n
    2. \n
      Global CORS Configuration:<\/strong> For broader application, configure CORS globally using WebMvcConfigurer<\/code>:<\/p>\n
      @Configuration\npublic class WebConfig implements WebMvcConfigurer {\n\n    @Override\n    public void addCorsMappings(CorsRegistry registry) {\n        registry.addMapping("\/api\/**")\n                .allowedOrigins("http:\/\/localhost:4200")\n                .allowedMethods("GET", "POST", "PUT", "DELETE");\n    }\n}\n<\/code><\/pre>\n<\/li>\n
    3. \n
      Spring Security:<\/strong> If you\u2019re using Spring Security, you need to explicitly enable CORS:<\/p>\n
      @EnableWebSecurity\npublic class SecurityConfig extends WebSecurityConfigurerAdapter {\n    @Override\n    protected void configure(HttpSecurity http) throws Exception {\n        http.cors(); \/\/ Enable CORS\n        \/\/ ... other security configurations\n    }\n}\n<\/code><\/pre>\n<\/li>\n<\/ol>\n
      Disabling CORS in Spring<\/h3>\n
      Reasons to Disable CORS:<\/strong><\/p>\n
        \n
      • Security:<\/strong> If your API is intended for internal use only within the same domain, disabling CORS adds an extra layer of security.<\/li>\n
      • Prevent unauthorized access:<\/strong> Disabling CORS prevents external websites or applications from making requests to your API.<\/li>\n<\/ul>\n
        How to Disable CORS in Spring:<\/strong><\/p>\n
        While Spring doesn\u2019t have an explicit \u201cdisable CORS\u201d option, you can achieve this by not configuring any CORS mappings or removing any existing CORS configurations. Effectively, reverting to the browser\u2019s default behavior of blocking cross-origin requests.<\/p>\n
        Important Considerations:<\/strong><\/p>\n
          \n
        • CORS preflight requests:<\/strong> For complex requests (e.g., involving custom headers or methods beyond GET\/POST), the browser sends an OPTIONS preflight request to check CORS permissions.<\/li>\n
        • Security risks:<\/strong> Misconfiguring CORS (e.g., using wildcard *<\/code> for allowed origins) can expose your API to vulnerabilities.<\/li>\n
        • Testing CORS:<\/strong> Utilize browser developer tools or online CORS testing tools to validate your CORS configuration.<\/li>\n<\/ul>\n
          By understanding the principles of CORS and utilizing Spring\u2019s flexible configuration options, you can effectively manage cross-origin requests and ensure the security and accessibility of your web applications.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":3722,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[441],"tags":[69,319],"series":[],"class_list":["post-3724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-spng_security","tag-java-2","tag-spring"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/09\/ai-generated-8722078_1280-jpg.avif","jetpack-related-posts":[{"id":3740,"url":"https:\/\/www.mymiller.name\/wordpress\/springboot\/threading-in-spring-a-comprehensive-guide\/","url_meta":{"origin":3724,"position":0},"title":"Threading in Spring: A Comprehensive Guide","author":"Jeffery Miller","date":"December 23, 2025","format":false,"excerpt":"Threading is a crucial aspect of building modern, high-performance applications. It allows you to execute multiple tasks concurrently, improving responsiveness and utilizing system resources effectively. Spring Framework provides robust support for managing and using threads, simplifying development and ensuring efficiency. This article explores thread usage in Spring, delves into different\u2026","rel":"","context":"In "Springboot"","block_context":{"text":"Springboot","link":"https:\/\/www.mymiller.name\/wordpress\/category\/springboot\/"},"img":{"alt_text":"","src":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/10\/ai-generated-8248619_1280-jpg.avif","width":350,"height":200,"srcset":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/10\/ai-generated-8248619_1280-jpg.avif 1x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/10\/ai-generated-8248619_1280-jpg.avif 1.5x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/10\/ai-generated-8248619_1280-jpg.avif 2x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/10\/ai-generated-8248619_1280-jpg.avif 3x"},"classes":[]},{"id":3641,"url":"https:\/\/www.mymiller.name\/wordpress\/spng_security\/integrating-java-spring-with-keycloak-a-comprehensive-guide\/","url_meta":{"origin":3724,"position":1},"title":"Integrating Java Spring with Keycloak: A Comprehensive Guide","author":"Jeffery Miller","date":"December 24, 2025","format":false,"excerpt":"Java Spring, a popular framework for building enterprise-level applications, can seamlessly integrate with Keycloak, a robust open-source Identity and Access Management (IAM) solution. This combination offers a powerful way to implement secure authentication, authorization, and user management features in your Spring-based applications. Let\u2019s explore how to achieve this integration along\u2026","rel":"","context":"In "Spring Security"","block_context":{"text":"Spring Security","link":"https:\/\/www.mymiller.name\/wordpress\/category\/spng_security\/"},"img":{"alt_text":"","src":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/08\/ghost-7571881_1280-jpg.avif","width":350,"height":200,"srcset":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/08\/ghost-7571881_1280-jpg.avif 1x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/08\/ghost-7571881_1280-jpg.avif 1.5x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/08\/ghost-7571881_1280-jpg.avif 2x"},"classes":[]},{"id":3632,"url":"https:\/\/www.mymiller.name\/wordpress\/spring_sockets\/real-time-communication-with-spring-boot-websockets-a-comprehensive-guide\/","url_meta":{"origin":3724,"position":2},"title":"Real-Time Communication with Spring Boot WebSockets: A Comprehensive Guide","author":"Jeffery Miller","date":"April 20, 2026","format":false,"excerpt":"In the world of modern web applications, real-time communication has become a necessity. Whether it\u2019s live chat, collaborative editing, or real-time data updates, WebSockets have emerged as the go-to technology to enable seamless, bidirectional communication between the browser and server. In this article, we\u2019ll dive into how to harness the\u2026","rel":"","context":"In "Spring Sockets"","block_context":{"text":"Spring Sockets","link":"https:\/\/www.mymiller.name\/wordpress\/category\/spring_sockets\/"},"img":{"alt_text":"","src":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/07\/cpu-4393380_1280-jpg.avif","width":350,"height":200,"srcset":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/07\/cpu-4393380_1280-jpg.avif 1x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/07\/cpu-4393380_1280-jpg.avif 1.5x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/07\/cpu-4393380_1280-jpg.avif 2x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2024\/07\/cpu-4393380_1280-jpg.avif 3x"},"classes":[]},{"id":3816,"url":"https:\/\/www.mymiller.name\/wordpress\/spring\/securing-your-spring-boot-actuator-endpoints-a-comprehensive-guide\/","url_meta":{"origin":3724,"position":3},"title":"Securing Your Spring Boot Actuator Endpoints: A Comprehensive Guide","author":"Jeffery Miller","date":"December 24, 2025","format":false,"excerpt":"Spring Boot Actuator provides invaluable insights into the inner workings of your running application. From health checks and metrics to thread dumps and environment details, these endpoints are crucial for monitoring and managing your application in production. However, exposing them without proper security can open doors to malicious actors, potentially\u2026","rel":"","context":"In "Spring"","block_context":{"text":"Spring","link":"https:\/\/www.mymiller.name\/wordpress\/category\/spring\/"},"img":{"alt_text":"","src":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2025\/04\/ai-generated-8070001_1280.avif","width":350,"height":200,"srcset":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2025\/04\/ai-generated-8070001_1280.avif 1x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2025\/04\/ai-generated-8070001_1280.avif 1.5x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2025\/04\/ai-generated-8070001_1280.avif 2x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2025\/04\/ai-generated-8070001_1280.avif 3x"},"classes":[]},{"id":3961,"url":"https:\/\/www.mymiller.name\/wordpress\/spring\/spring4\/architecting-spring-boot-4-with-official-spring-grpc-support\/","url_meta":{"origin":3724,"position":4},"title":"Architecting Spring Boot 4 with Official Spring gRPC Support","author":"Jeffery Miller","date":"January 15, 2026","format":false,"excerpt":"For years, the Spring community relied on excellent third-party starters (like net.devh) to bridge the gap between Spring Boot and gRPC. With the evolution of Spring Boot 4 and the official Spring gRPC project, we now have native support that aligns perfectly with Spring's dependency injection, observability, and configuration models.\u2026","rel":"","context":"In "Spring4"","block_context":{"text":"Spring4","link":"https:\/\/www.mymiller.name\/wordpress\/category\/spring\/spring4\/"},"img":{"alt_text":"","src":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_3yqio33yqio33yqi.avif","width":350,"height":200,"srcset":"https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_3yqio33yqio33yqi.avif 1x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_3yqio33yqio33yqi.avif 1.5x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_3yqio33yqio33yqi.avif 2x, https:\/\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2026\/01\/Gemini_Generated_Image_3yqio33yqio33yqi.avif 3x"},"classes":[]},{"id":3438,"url":"https:\/\/www.mymiller.name\/wordpress\/spring\/architecting-with-spring-and-spring-cloud\/","url_meta":{"origin":3724,"position":5},"title":"Architecting with Spring and Spring Cloud","author":"Jeffery Miller","date":"December 24, 2025","format":false,"excerpt":"Building a Multi-Service Architecture with Spring 3.1.x and Spring Cloud: Unlocking the Power of Microservices In the ever-evolving landscape of software development, microservices have emerged as a powerful architectural paradigm, enabling organizations to build scalable, resilient, and agile applications. Spring, a widely adopted Java framework, provides a comprehensive suite of\u2026","rel":"","context":"In "Spring"","block_context":{"text":"Spring","link":"https:\/\/www.mymiller.name\/wordpress\/category\/spring\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2023\/11\/field-5236879_640.jpg?fit=640%2C360&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2023\/11\/field-5236879_640.jpg?fit=640%2C360&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.mymiller.name\/wordpress\/wp-content\/uploads\/2023\/11\/field-5236879_640.jpg?fit=640%2C360&ssl=1&resize=525%2C300 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/posts\/3724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/comments?post=3724"}],"version-history":[{"count":1,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/posts\/3724\/revisions"}],"predecessor-version":[{"id":3725,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/posts\/3724\/revisions\/3725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/media\/3722"}],"wp:attachment":[{"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/media?parent=3724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/categories?post=3724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/tags?post=3724"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.mymiller.name\/wordpress\/wp-json\/wp\/v2\/series?post=3724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}