What do I need to send with a CORS API response?

Question

I have an API built in Java/Spring hosted on the cloud and recently came across CORS issues when a website couldn't use it. I found out my API wasn't supporting CORS. This is how I solved my problem:

https://spring.io/guides/gs/rest-service-cors/ (search "Enabling CORS" on the page)

By simply adding the @CrossOrigin annotation it will:

include CORS access control headers in its response

This seemed to solve my issue initially. However, due to the lack of involvement on my part to solve this issue (I just had to add the annotation) I'm obviously having some confusions. More issues cropping up. I noticed when inspecting my response that I have null values for getAllResponseHeaders and getResponseHeader. So my CORS response is not sending any headers back.

Questions:

In what scenarios do I need to send response headers back? After reading the Spring doc, I learned by using the @CrossOrigin annotation by default accepts all origins. This means my API should accept requests from all external resources. But apparently this is failing with a React "fetch" request. From the research I'm doing, I think I might need to send a header back, but I don't really know why/when I need to do this.

Why is Postman able to bypass CORS issues? Even before I enabled CORS server side, requests through Postman worked as expected.

Answer 1

Because Postman go through Http without any CORS policy. It doesn't need any policy. See here. And, possible that would be helpful.

Update excuse me. I carefully read that article and now I don't clear understand your question. First of all, CORS can be only filter and you won't send in response any information about this. Also, you can send in response like headers information about your policy. Please read that and that. If I am incorrect,please correct me