Spring Boot @CrossOrigin Example

1. Introduction

Cross-origin resource sharing (CORS) is a security feature that restricts web applications from making requests to domains different from the one that served the web application. However, there are cases where you need to allow such cross-origin requests. Spring Boot provides the @CrossOrigin annotation to handle this scenario, allowing you to define how your application handles cross-origin requests at both the controller and method levels.

Key Points:

1. @CrossOrigin is used to enable CORS on Spring Boot applications.

2. It can be applied at the controller level to allow CORS for all handler methods within the controller.

3. You can also use it at the individual method level for fine-grained control.

4. The annotation supports configuration options like origins, methods, allowedHeaders, exposedHeaders, allowCredentials, and maxAge.

2. Implementation Steps

1. Create a Spring Boot application with a REST controller.

2. Use the @CrossOrigin annotation to configure CORS at the class or method level.

3. Specify the domains, methods, and headers for CORS configuration.

4. Test CORS configuration by making cross-origin requests from different domains.

3. Implementation Example

Here is the complete code that demonstrates the usage of @CrossOrigin annotation:
// Step 1: Create a REST controller in your Spring Boot application
public class DataController {

    // Step 2: Configure CORS at the method level
    @CrossOrigin(origins = "http://localhost:3000.com", maxAge = 3600)
    public ResponseEntity<String> getData() {
        return ResponseEntity.ok("Data from cross-origin allowed source");

// Step 2 (alternate): Configure CORS at the controller level
@CrossOrigin(origins = "*", allowedHeaders = "*")
public class DataController {

// Step 4: Main application class to bootstrap the application
public class CorsApplication {
    public static void main(String[] args) {
        SpringApplication.run(CorsApplication.class, args);

// Test making requests to /api/data from https://example.com and /api/update from any origin.


// Response for GET /api/data:
Data from cross-origin allowed source
// Response for POST /api/update with any origin:
Data updated successfully


1. DataController class is annotated with @RestController and @RequestMapping to handle API requests.

2. @CrossOrigin(origins = "https://example.com", maxAge = 3600) on getData method allows GET requests from the origin "https://example.com" and sets the max age for the CORS configuration to 1 hour.

3. @CrossOrigin(origins = "", allowedHeaders = "") on the class level that handles all requests from all origins with any headers. If you apply @CrossOrigin on the class level then it will be applicable to all the handler methods defined within that class.

4. CorsApplication class includes the main method that starts the Spring Boot application.

5. The output when a GET request is made to /api/data from "https://example.com" or a POST request to /api/update from any origin is the respective success message.

6. These responses indicate that the @CrossOrigin settings are effectively allowing the specified cross-origin requests.