Annotation Interface CrossOrigin
Both Spring Web MVC and Spring WebFlux support this annotation through the
RequestMappingHandlerMapping in their respective modules. The values
from each type and method level pair of annotations are added to a
CorsConfiguration and then default values are applied via
The rules for combining global and local configuration are generally
additive -- e.g. all global and all local origins. For those attributes
where only a single value can be accepted such as
maxAge, the local overrides the global value.
CorsConfiguration.combine(CorsConfiguration) for more details.
- Russell Allen, Sebastien Deleuze, Sam Brannen, Ruslan Akhundov
Optional Element SummaryModifier and TypeOptional ElementDescriptionWhether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint.The list of request headers that are permitted in actual requests, possibly
"*"to allow all headers.The List of response headers that the user-agent will allow the client to access on an actual response, other than "simple" headers, i.e.
longThe maximum age (in seconds) of the cache duration for preflight responses.The list of supported HTTP request methods.Alternative to
origins()that supports more flexible origin patterns.A list of origins for which cross-origin requests are allowed.
originsA list of origins for which cross-origin requests are allowed. Please, see
By default all origins are allowed unless
originPatterns()is also set in which case
originPatternsis used instead.
originPatternsString originPatternsAlternative to
origins()that supports more flexible origin patterns. Please, see
By default this is not set.
allowedHeadersString allowedHeadersThe list of request headers that are permitted in actual requests, possibly
"*"to allow all headers.
Allowed headers are listed in the
Access-Control-Allow-Headersresponse header of preflight requests.
A header name is not required to be listed if it is one of:
Pragmaas per the CORS spec.
By default all requested headers are allowed.
exposedHeadersString exposedHeadersThe List of response headers that the user-agent will allow the client to access on an actual response, other than "simple" headers, i.e.
Exposed headers are listed in the
Access-Control-Expose-Headersresponse header of actual CORS requests.
The special value
"*"allows all headers to be exposed for non-credentialed requests.
By default no headers are listed as exposed.
methodsRequestMethod methodsThe list of supported HTTP request methods.
By default the supported methods are the same as the ones to which a controller method is mapped.
allowCredentialsString allowCredentialsWhether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on the
Access-Control-Allow-Credentialsresponse header of preflight requests.
NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentialsheader is also not set and credentials are therefore not allowed.
maxAgelong maxAgeThe maximum age (in seconds) of the cache duration for preflight responses.
This property controls the value of the
Access-Control-Max-Ageresponse header of preflight requests.
Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.
By default this is set to
1800seconds (30 minutes).