Cross-Origin Resource Sharing (CORS) is essential when building APIs that interact with frontend applications across different domains. Spring Boot simplifies CORS configuration with built-in support. Here's how to handle it:

1. Global CORS Configuration

Add this to application.properties:

spring.mvc.cors.allowed-origins=https://example.com
spring.mvc.cors.allowed-methods=GET, POST, PUT, DELETE
spring.mvc.cors.allowed-headers=Content-Type, Authorization

✅ This enables CORS for all endpoints by default.

2. Per-Endpoint Configuration

Use @CrossOrigin annotation:

@RestController
public class MyController {
    @CrossOrigin(origins = "https://frontend.example.com")
    @GetMapping("/data")
    public ResponseEntity<?> getData() {
        return ResponseEntity.ok().build();
    }
}

📌 Tip: Combine with @RequestMapping for more control.

3. Custom CORS Filter

Create a filter class:

public class CustomCorsFilter implements Filter {
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "https://frontend.example.com");
        chain.doFilter(req, res);
    }
}

Register it in SpringBootApplication:

@Bean
public FilterRegistrationBean<CustomCorsFilter> corsFilter() {
    FilterRegistrationBean<CustomCorsFilter> registration = new FilterRegistrationBean<>();
    registration.setFilter(new CustomCorsFilter());
    registration.addUrlPatterns("/*");
    return registration;
}

4. Common Pitfalls

  • Missing Access-Control-Allow-Origin: Always include this header.
  • ⚠️ Wildcard (*) Risks: Avoid using * in production for security.
  • 🔄 Preflight Requests: Browsers send OPTIONS requests for complex CORS scenarios.

For advanced configurations, check our Spring Boot Security Guide 📚

CORS_Configuration

Visualizing CORS headers in API responses