0
0
Spring Bootframework~5 mins

CORS configuration in Security in Spring Boot

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Introduction

CORS lets your web app ask for resources from another website safely. Configuring it in security helps control who can access your backend.

When your frontend and backend are on different domains or ports.
When you want to allow only specific websites to call your backend APIs.
When you want to prevent unauthorized websites from accessing your backend.
When building APIs that will be used by web apps hosted elsewhere.
When you want to customize allowed HTTP methods or headers for cross-origin requests.
Syntax
Spring Boot
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.cors(cors -> cors.configurationSource(request -> {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowedOrigins(List.of("https://example.com"));
        config.setAllowedMethods(List.of("GET", "POST"));
        config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
        return config;
    }))
    .authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
    return http.build();
}

You define CORS rules inside the security filter chain.

Use cors.configurationSource to customize allowed origins, methods, and headers.

Examples
Allows only the specified origin and HTTP methods.
Spring Boot
http.cors(cors -> cors.configurationSource(request -> {
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowedOrigins(List.of("https://myfrontend.com"));
    config.setAllowedMethods(List.of("GET", "POST", "PUT"));
    return config;
}))
Allows all origins, methods, and headers (use carefully).
Spring Boot
http.cors(cors -> cors.configurationSource(request -> {
    CorsConfiguration config = new CorsConfiguration();
    config.addAllowedOriginPattern("*");
    config.addAllowedMethod("*");
    config.addAllowedHeader("*");
    return config;
}))
Sample Program

This Spring Boot security config allows cross-origin requests only from https://trustedsite.com with GET and POST methods. It also requires authentication for all requests.

Spring Boot
package com.example.demo;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import java.util.List;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors(cors -> cors.configurationSource(request -> {
            CorsConfiguration config = new CorsConfiguration();
            config.setAllowedOrigins(List.of("https://trustedsite.com"));
            config.setAllowedMethods(List.of("GET", "POST"));
            config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
            return config;
        }))
        .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
        .httpBasic();
        return http.build();
    }
}
OutputSuccess
Important Notes

Always specify allowed origins explicitly to avoid security risks.

Use addAllowedOriginPattern("*") only if you understand the risks.

Test CORS settings using browser DevTools Network tab to see request headers and responses.

Summary

CORS configuration controls which websites can call your backend.

In Spring Security, configure CORS inside the security filter chain.

Always restrict origins and methods to keep your app safe.