Challenge - 5 Problems
CORS Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
❓ component_behavior
intermediate1:30remaining
What is the effect of this Spring Security CORS configuration?
Consider this Spring Security configuration snippet for CORS:
What does this configuration do regarding CORS requests?
http.cors().and().csrf().disable();
What does this configuration do regarding CORS requests?
Spring Boot
http.cors().and().csrf().disable();Attempts:
2 left
💡 Hint
Think about what calling cors() and csrf().disable() does in Spring Security.
✗ Incorrect
Calling http.cors() enables CORS support with default configuration. Calling csrf().disable() disables CSRF protection. So this configuration enables CORS and disables CSRF.
📝 Syntax
intermediate2:00remaining
Which option correctly defines a CORS configuration source bean in Spring Boot?
You want to define a bean that customizes CORS mappings in Spring Boot Security. Which code snippet is syntactically correct?
Attempts:
2 left
💡 Hint
Remember the @Bean annotation and method return type are required for Spring to recognize the bean.
✗ Incorrect
Option C correctly uses @Bean annotation, returns CorsConfigurationSource, and returns the source object. Option C misses @Bean, B returns void, D misses public modifier (optional but recommended).
🔧 Debug
advanced2:30remaining
Why does this CORS configuration not allow requests from 'http://example.com'?
Given this CORS configuration bean:
And the security config:
Why might requests from 'http://example.com' still be blocked by the browser?
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("http://example.com");
config.addAllowedMethod("GET");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}And the security config:
http.cors().and().csrf().disable();
Why might requests from 'http://example.com' still be blocked by the browser?
Attempts:
2 left
💡 Hint
Think about how Spring Security matches origins with patterns.
✗ Incorrect
Spring Security 5.3+ recommends using setAllowedOriginPatterns to allow flexible origins like subdomains or wildcard patterns. addAllowedOrigin matches exact origins only. If the request origin differs slightly, it will be blocked.
❓ state_output
advanced1:30remaining
What is the value of 'allowedMethods' after this CORS config code runs?
Given this code snippet:
What is the content of 'allowedMethods'?
CorsConfiguration config = new CorsConfiguration();
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.setAllowedMethods(List.of("PUT", "DELETE"));
List allowedMethods = config.getAllowedMethods(); What is the content of 'allowedMethods'?
Attempts:
2 left
💡 Hint
Consider what setAllowedMethods does compared to addAllowedMethod.
✗ Incorrect
setAllowedMethods replaces the entire list of allowed methods, so the previous addAllowedMethod calls are overwritten. The final list contains only PUT and DELETE.
🧠 Conceptual
expert2:00remaining
Which statement best describes the role of CORS configuration in Spring Security?
Select the most accurate description of how CORS configuration interacts with Spring Security and browser behavior.
Attempts:
2 left
💡 Hint
Think about the difference between server-side configuration and browser enforcement.
✗ Incorrect
Spring Security's CORS configuration sets headers that tell browsers which cross-origin requests are allowed. Browsers enforce CORS by blocking disallowed requests. The server does not disable browser checks but provides headers to guide them.