CORS with Spring Boot - restrict GET requests to certain domains

Question

I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?

I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?

You can’t use CORS configuration to block requests from non-browser clients. See the answers at https://stackoverflow.com/questions/42708660/cors-allowed-origin-restrictions-aren-t-causing-the-server-to-reject-requests-c/42708766#42708766 and https://stackoverflow.com/questions/43432743/will-cors-policy-prevent-resource-access-from-non-browser-requests/43432787#43432787 — sideshowbarker, Nov 14 '18 at 22:44

score 1 · Answer 1 · answered Nov 14 '18 at 21:20

public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/api/**")
            .allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
            .allowedMethods("GET");
    }

Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html

score 1 · Answer 2 · edited Feb 24 '19 at 21:02

1

First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:

.allowedMethods("PUT", "DELETE", "PATCH")

and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.

edited Feb 24 '19 at 21:02

halfer

19,824
17
99
186

answered Nov 15 '18 at 03:05

kj007

6,073
4
29
47

I had a similar configuration. I was using Postman, that was the problem. – Stamatis Rapanakis Nov 15 '18 at 08:29

CORS with Spring Boot - restrict GET requests to certain domains

2 Answers2