http.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues()); Try this one if you have at least Java 8: