ARTICLE AD BOX
I’m trying to connect my React frontend (hosted on Azure Static Web Apps) to my Spring Boot backend (hosted on Azure App Service), but the CORS preflight request is failing with HTTP 403.
When I run the following curl command to simulate the browser’s preflight:
curl -i -X OPTIONS \ "https://math-morph-backend-qa-scotland-cqdchmerbueeathy.westus-01.azurewebsites.net/vpedtech/auth/login" \ -H "Origin: https://lively-field-0cb114f0f.3.azurestaticapps.net" \ -H "Access-Control-Request-Method: POST"I get this response:
HTTP/1.1 403 Forbidden Date: Mon, 24 Nov 2025 14:54:54 GMT Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: 0 Pragma: no-cache Transfer-Encoding: chunked Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Invalid CORS requestHere is my Spring Boot security configuration:
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf -> csrf.disable()) .cors(cors -> cors.configurationSource(corsConfigurationSource())) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(e -> e.authenticationEntryPoint((req, res, ex) -> res.sendError(HttpServletResponse.SC_UNAUTHORIZED)) .accessDeniedHandler((req, res, ex) -> res.sendError(HttpServletResponse.SC_FORBIDDEN)) ); return http.build(); }And my CORS configuration:
@Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); // 👇 IMPORTANT: your deployed frontend URL must be here // Use allowedOriginPatterns – more forgiving & modern way config.setAllowedOriginPatterns(List.of( "http://localhost:5173", "https://lively-field-0cb114f0f.3.azurestaticapps.net" )); config.setAllowedMethods(List.of("GET","POST","PUT","DELETE","OPTIONS","PATCH")); config.setAllowedHeaders(List.of("*")); config.setExposedHeaders(List.of("Authorization", "Location")); config.setAllowCredentials(true); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); System.out.println("🔵 CORS config initialized with allowedOrigins=" + config.getAllowedOrigins()); return source; }Any guidance or examples of a working Spring Boot 3 and Spring Security 6 CORS setup for this scenario would be appreciated.
