Spring Security CORS
In this blog, I will tell you about what is CORS and how to enable CORS for a restful web service by using spring boot.
First, you should have knowledge about what is CROSS ORIGIN REQUEST, Resource request outside the origin is called cross-origin request.
Example: When web browsers load a web page from server X and get the required data from server but while loading that web page is also making another request to server Y to get data. This is Called Cross-Origin Request because the origin server is X but web page making a request to server Y to get additional data.
What is CORS?
CORS stands for CROSS-ORIGIN RESOURCE SHARING, it is a mechanism that uses additional HTTP headers to tell the browser whether a particular web application is allowed to share resources with another web application but the important point here is both web application should have different origins, because if they have the same origin then there is no problem in sharing resources but if they don't have the same origin then they should follow a mechanism and CORS is used to provide a mechanism that enables web browsers to support cross-origin request.
Example: Take the same scenario as the first example which is when web browsers load a web page from server X and get the required data from server but while loading that web page is also making another request to server Y to get data, Now security point of view browser should not allow this because it is making a request to a different server.
The browser will stop this request because browsers will never allow a web application to share resources between ORIGIN.
I guess now the question comes in your mind is what is ORIGIN, right?
Let me explain, suppose if we have domain name XYZ.com then the browser will not allow this origin to share resources with other origins like ABC.com if it required any data from ABC.com/api/getEmployeeInfo.
How this CORS works?
Suppose we have two origin web applications A and B at different origins which is origin 1 and origin 2 and now they want to share resources between them.
So when web application A is requesting to B for some resource which can be anything then the CORS Preflight Mechanism is followed.
The preflight request is made before the actual API request made. So a preflight request is made to server B in which, server A is asking to B can you give data to A and then server B verifies that preflight request to validate that the call is valid or not and if B says yes I can give data. Then only the browser allows actual requests made to server B to get data. And if B says no I can't give data to server A then the browser will not allow server A to request B and throw an error called `ACCESS-CONTROL-ALLOW-ORIGIN: NO` and this preflight call is also known as option call.
So when the preflight request made, the server sends optional HTTP headers inside the response.
Some commonly used headers by servers are,
- Access-Control-Allow-Origin: This header is set by the server and it can have different values. If it is a general API that can be accessed by any domain then the value will be (*).
if the server wants to restrict it to some specific domain then the server writes domain name[https://www.techcret.com].
- Access-Control-Allow-Methods: There can be any methods that can be restricted like GET, DELETE, PUT, etc.
Note: For some requests browser automatically tag them as a normal request where the browser does not make any preflight request.
