What is the CORS ?

Lakmal Asela - Sep 16 - - Dev Community

CORS- Cross-Origin Resource Sharing-is a security feature used by web browsers. This feature stops a web page from requesting resources, or data, from a domain different from the one that served the web page. It is done to protect the users by disallowing malicious sites from sending unauthorized requests to servers or APIs at other domains.

Image description

How CORS Works

When a web page, in a certain origin, sends a request to a different origin, the browser first checks if the server allows this kind of cross-origin request. If it isn't so configured, the browser blocks the request. CORS defines a way in which a server can safely handle these cross-origin requests.

CORS relies on HTTP headers to let the server inform the browser whether or not the request is allowed. The key headers include:

  • Access-Control-Allow-Origin: Specifies which origin(s) are allowed to make requests (e.g., a specific domain or * for any domain).

  • Access-Control-Allow-Methods: Specifies which HTTP methods (e.g., GET, POST) are allowed.

  • Access-Control-Allow-Headers: Specifies which headers can be included in the request.

  • Access-Control-Allow-Credentials: Indicates whether credentials like cookies or authorization headers are allowed to be sent.

Why CORS is Used

  • Security: This is one of the most important features. It makes sure that there aren't any unauthorized requests allowed between different sites. A script originating from one domain is not allowed to access resources from another domain unless explicitly allowed.

  • Controlled Sharing: This is a controlled exposure to resources from other origins, notably in cases when APIs or services are consumed by applications hosted over different domains.

CORS Implementation in Spring Boot

Global Configuration

package com.logmaven.exmaven.configuration;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        // Allowing CORS requests from http://localhost:3000
        registry.addMapping("/**")  // Apply to all endpoints
                .allowedOrigins("http://localhost:3000")  // Allow requests from this origin
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")  // Allow these HTTP methods
                .allowedHeaders("*")  // Allow all headers
                .allowCredentials(true);  // Allow credentials like cookies
    }

}
Enter fullscreen mode Exit fullscreen mode

CORS Configuration Using Spring Security

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable() // Enable CORS and disable CSRF for simplicity
            .authorizeRequests()
            .anyRequest().authenticated(); // Allow only authenticated requests
        return http.build();
    }

    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("http://localhost:3000");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }
}
Enter fullscreen mode Exit fullscreen mode

This configuration enables CORS for all endpoints, allowing requests from http://localhost:3000. You can adjust it to your specific requirements, including credentials, headers, and allowed HTTP methods.

Advantages of CORS

  • Security Control: Prevents unauthorized cross-origin requests.

  • Granular Access: Allows fine-grained access to resources based on origin, methods, and headers.

  • Interoperability: This allows modern web applications to securely consume APIs and services from different origins.

Image
How can I automatically navigate to a page specified in a link within an email when the user logs in automatically?
Image
Breakthrough for Mamba: ReMamba Boosts Long-Sequence Modeling Prowess
Image
Efficient Parallelism for Training Massive Language Models: Seq1F1B Sequence-Level Pipeline
Image
Power BI vs. Excel: When to Use Each Tool for Optimal Results
Image
Glam Up My Markup: Space

devchallenge, frontendchallenge, css, javascript
Image
Unlocking Generative Power: A Comprehensive Guide to Variational Auto-Encoders
Image
Fair Royalties for Generative AI: The Shapley Royalty Share Framework
Image
Run WordPress locally using Docker!
Image
Tether & USDC: The Backbone of 2024's Stablecoin Surge Amid Security Concerns
Image
A Fun Experiment: Create an Electronic Spider with JavaScript
Image
what is data modeling?
Image
Redis: The Ultimate Guide to In-Memory Data Structure Store

webdev, javascript, database, learning
Image
The Magic of `static` in Java: One for All, and All for One!
Image
See you at EuRuKo 2024
Image
The "IO to the Boundary" principle

architecture, rails, designpatterns, softwaredevelopment
Image
The Intersection of Cybersecurity and Artificial Intelligence: A New Frontier
Image
Share 4 Animation Libraries to Help You Create a Visual Feast and Double Your Chill Time!
Image
Should you use ChatGPT for learning programming?
Image
DJ Databass
. . . . .
Terabox Video Player