CORS Configuration in Spring Boot Explained (With Examples)

CORS Configuration in Spring Boot Explained (With Examples)
Getting your Trinity Audio player ready...

If youโ€™ve ever seen the error:
“Access to fetch at ‘http://localhost:8080/api’ from origin ‘http://localhost:3000’ has been blocked by CORS policy”,
then you already know the frustration of CORS.

But donโ€™t worry โ€” in this article, Iโ€™ll explain what CORS is and how to configure it inย Spring Boot, step by step properly.


๐Ÿ” What is CORS?

CORS stands for Cross-Origin Resource Sharing.

Itโ€™s a security feature implemented by browsers to prevent JavaScript on one domain (e.g., localhost:3000) from making requests to another domain (e.g., localhost:8080) unless the server explicitly allows it.

This is very common in frontend-backend setups โ€” like React or Angular (frontend) calling a Spring Boot API (backend).


๐Ÿ› ๏ธ How to Fix CORS in Spring Boot

There are multiple ways to handle CORS in Spring Boot. You can pick the one that fits your use case best.


โœ… 1. Global CORS Configuration (Recommended)

If you want to allow CORS for all controllers, create a configuration class:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig {

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**")
                        .allowedOrigins("http://localhost:3000")
                        .allowedMethods("GET", "POST", "PUT", "DELETE")
                        .allowedHeaders("*")
                        .allowCredentials(true);
            }
        };
    }
}

๐Ÿ” allowedOrigins โ€” define which domains can access your API
๐Ÿ“ฆ allowedMethods โ€” control what HTTP methods are allowed
๐Ÿ” allowCredentials(true) โ€” use this if your request includes cookies or auth headers


โœ… 2. Controller-Level CORS Configuration

If you only want to allow CORS on specific endpoints:

@CrossOrigin(origins = "http://localhost:3000")
@RestController
@RequestMapping("/api")
public class UserController {

    @GetMapping("/users")
    public List<User> getUsers() {
        return List.of(new User(1, "John"));
    }
}

You can also customize:

@CrossOrigin(
    origins = "http://localhost:3000",
    methods = {RequestMethod.GET, RequestMethod.POST},
    allowedHeaders = "*"
)

โœ… 3. Spring Security CORS Configuration (If Using Spring Security)

If you’re using Spring Security, global CORS settings won’t work unless you enable it in the security config:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .cors() // Enable CORS
            .and()
            .csrf().disable()
            .authorizeRequests()
            .anyRequest().permitAll();

        return http.build();
    }
}

Then define a bean for CORS configuration:

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(List.of("http://localhost:3000"));
    configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
    configuration.setAllowedHeaders(List.of("*"));
    configuration.setAllowCredentials(true);

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

โ— Common CORS Mistakes

  • ๐Ÿšซ CORS must be handled on the server-side, not in frontend code.
  • ๐Ÿงช Donโ€™t use allowedOrigins("*") with allowCredentials(true) โ€” browsers will block it.
  • ๐Ÿ’ป Always test CORS using browser tools or Postman (but note: Postman doesnโ€™t enforce CORS rules like browsers do).

๐Ÿงช Testing CORS

Use your browserโ€™s DevTools > Network tab to check for CORS errors or inspect the Response Headers.

Look for:

Access-Control-Allow-Origin: http://localhost:3000

๐Ÿ“Œ Summary

CORS errors are frustrating but easy to fix in Spring Boot.
Choose from:

  • Global CORS config (for all routes)
  • Controller-level @CrossOrigin
  • Security-based CORS (if using Spring Security)

Set the allowed origins, methods, and headers based on your frontend needs, and youโ€™re good to go!


๐Ÿ”— You Might Also Like

๐Ÿ‘‰ REST API in Spring Boot Explained Clearly
๐Ÿ‘‰ Asynchronous JavaScript: Promises, Async/Await, and Callbacks