Blog

Spring Boot WebMvc: CorsRegistry, order of filters, and security matchers

CorsConfigurationSource beans must align with Spring Security’s authorizeHttpRequests—OPTIONS should be permitted.

Published: 2026-04-08Updated: 2026-04-101 min read

springjavacors

Common pitfalls

CSRF protection may block credentialed requests if tokens are not configured for SPA flows.

Actuator endpoints on management ports need separate CORS policies if exposed through proxies.

MockMvc can assert OPTIONS mapping; add integration tests with TestRestTemplate on random ports.

Verify WebMvcConfigurer addCorsMappings runs after any custom HandlerMapping beans.