Spring Bootframework~8 mins

CORS configuration in Security in Spring Boot - Performance & Optimization

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Performance: CORS configuration in Security

MEDIUM IMPACT

This affects how quickly the browser can safely load resources from different origins without blocking or delays.

Allowing cross-origin requests in a Spring Boot app

Spring Boot

http.cors().configurationSource(request -> {
  CorsConfiguration config = new CorsConfiguration();
  config.setAllowedOrigins(List.of("https://example.com"));
  config.setAllowedMethods(List.of("GET", "POST"));
  config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
  config.setAllowCredentials(true);
  return config;
});

Explicitly defining allowed origins and methods reduces unnecessary preflight requests and speeds up resource loading.

📈 Performance GainReduces preflight requests, improving LCP by avoiding blocking network calls.

Allowing cross-origin requests in a Spring Boot app

Spring Boot

http.cors().and().csrf().disable(); // No specific CORS config, defaults apply

Using default or no CORS configuration causes browsers to send preflight OPTIONS requests that may be rejected or delayed.

📉 Performance CostTriggers extra preflight requests causing delays in resource loading and blocking rendering.

Performance Comparison

Pattern	DOM Operations	Reflows	Paint Cost	Verdict
Default or no CORS config	N/A	N/A	Blocks rendering until preflight completes	[X] Bad
Explicit CORS config with limited origins and methods	N/A	N/A	Allows faster resource loading, no blocking	[OK] Good

Rendering Pipeline

When a browser requests a cross-origin resource, it may send a preflight OPTIONS request to check permissions before the actual request. Proper CORS config lets the server respond quickly and correctly, allowing the browser to proceed without delay.

→Network Request

→Resource Loading

→Rendering

⚠️ BottleneckNetwork Request due to preflight OPTIONS calls

Core Web Vital Affected

LCP

This affects how quickly the browser can safely load resources from different origins without blocking or delays.

Optimization Tips

1Always specify allowed origins and methods explicitly in CORS config.

2Avoid wildcard '*' origins when credentials are needed to reduce preflight requests.

3Use minimal allowed headers to prevent unnecessary preflight checks.

Performance Quiz - 3 Questions

Test your performance knowledge

What impact does missing or default CORS configuration have on page load?

AImproves page load by caching all resources

BHas no impact on page load speed

CCauses extra preflight requests that delay resource loading

DReduces network requests by combining them

DevTools: Network

How to check: Open DevTools > Network tab, filter by OPTIONS requests, reload page and observe if preflight requests occur and their timing.

What to look for: Look for OPTIONS requests before actual resource requests; fewer or faster OPTIONS requests indicate better CORS performance.