How to fix cors issue that results Post and Put requests being blocked with status code 405

Question

Hi there,
I am experiencing cors issue with my deployment on Azure app service(Web App).
The application stack is Java(v17), Spring Boot 3.3.5, and React JS.
Currently, all post and put methods are being blocked.
When a request is sent, the response header contains "allow: GET"
Initially, I did not want to manage cors via Azure, so it was disabled and all was done via my BE codes, but still, it was blocked by azure.
Container logs is showing the following warning log when hitting post request
2025-01-28T17:32:22.309Z WARN 99 --- [app-name] [http-nio-80-exec-3] o.s.web.servlet.PageNotFound : Request method 'POST' is not supported

What I did

1. I did make sure that it is not related to my server's codes, I have enabled cors from the server side and the same code is working fine on another deployment.
2. I added origins to the app service's API -> CORS but this did not help.

Answer 1

Hi @Shavarsh Shahoyan

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

Solution :

First of all, I would like to say a Big thank you all for your support and patience, I appreciate that very much, we love working with Azure and collaborating with this community!

The genuine error code was 403 but it was converted to 405 for the reason I will provide below.

I solved the problem and would like to share details so it will be helpful for others in the community. The problem was related to csrf protection that I accidentally enabled in my server codes by using @EnableWebSecurity annotation in spring boot that automatically enables csrf(

SQLCopy

.csrf(AbstractHttpConfigurer::disable)

), so In my codes for some reason, I had @EnableWebSecurity over TWO classes, in one of them I was disabling csrf, but since I had a second class with @EnableWebSecurity that was overriding the disabling of the first one and turning it on.

So when post/put was sent to the server without csrf token it was throwing 403 error(forbidden) and since I had error controller (

SQLCopy

ErrorControllerImpl implements ErrorController

)it was trying to redirect that issue to that controller, but there I had only handling for GET and not for post/put, si I went ahead and added there handling for post/put and at that point I was able to get 403 error back not 405.

SQLCopy

@RequestMapping(
    value = PATH,
    method = {RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT})
public String handleError(HttpServletRequest request) {...}

so at the end I merged the codes om my two classes annotated with @EnableWebSecurity annotation into one and at that class disabled csrf and that fixed the problem.

tl:dr

1. added post/put handling to my spring boot error controller
2. use @EnableWebSecurity annotation only once in your code, if you want to disable csrf, do it there or enable it (use token repo and send token from UI to the server when requesting)
3. enable security logs to see more in logs

SQLCopy

logging.level.org.springframework.security=DEBUG

If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Answer 2

Hi @Shavarsh Shahoyan
Thanks for the question and using MS Q&A platform.
To resolve CORS issues causing POST and PUT requests to be blocked with a status code 405, ensure your server is configured to handle these methods. The error message indicating that the 'POST' request method is not supported suggests that your server may not be set up to accept POST requests for the specific endpoint you are trying to access.

1.  Ensure the endpoint you are trying to access is configured to handle POST requests. In Spring Boot, this typically involves annotating your controller method with @PostMapping.
2. Since you mentioned enabling CORS from the server side, double-check that your CORS configuration allows POST and PUT methods. Specify allowed methods in your CORS configuration, ensuring they include POST and PUT.
3.  Although you have added origins to the Azure app service's CORS settings, ensure the allowed methods in the Azure portal also include POST and PUT. Sometimes, CORS settings in Azure can override your application settings.
4. If you have any middleware or filters in your application that might be intercepting requests, ensure they are not blocking POST or PUT requests.
5. Use browser developer tools to inspect network traffic and ensure the OPTIONS preflight request is being sent correctly and that the server responds with the appropriate CORS headers .Also, verify the response headers to confirm that the Access-Control-Allow-Origin header is present and matches the origin of your request.

By following these steps, you should be able to identify and resolve the CORS issues affecting your POST and PUT requests.
Enable Cross-Origin Requests (CORS) in ASP.NET Core
Configure cross-origin resource sharing (CORS) for Azure Container Apps (azure-portal)
https://techcommunity.microsoft.com/blog/azurepaasblog/how-to-troubleshoot-cors-error-in-azure-api-management-service/2241695
https://learn.microsoft.com/en-us/answers/questions/1393588/how-to-fix-cors-error
If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Answer 3

Hello Community!
First of all, I would like to say a Big thank you all for your support and patience, I appreciate that very much, we love working with Azure and collaborating with this community!

The genuine error code was 403 but it was converted to 405 for the reason I will provide below.

I solved the problem and would like to share details so it will be helpful for others in the community.
The problem was related to csrf protection that I accidentally enabled in my server codes by using
@EnableWebSecurity annotation in spring boot that automatically enables csrf(

.csrf(AbstractHttpConfigurer::disable)

), so In my codes for some reason, I had @EnableWebSecurity over TWO classes, in one of them I was disabling csrf, but since I had a second class with @EnableWebSecurity that was overriding the disabling of the first one and turning it on.

So when post/put was sent to the server without csrf token it was throwing 403 error(forbidden) and since I had error controller (

ErrorControllerImpl implements ErrorController

)it was trying to redirect that issue to that controller, but there I had only handling for GET and not for post/put, si I went ahead and added there handling for post/put and at that point I was able to get 403 error back not 405.

@RequestMapping(
    value = PATH,
    method = {RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT})
public String handleError(HttpServletRequest request) {...}

so at the end I merged the codes om my two classes annotated with @EnableWebSecurity annotation into one and at that class disabled csrf and that fixed the problem.

tl:dr

1. added post/put handling to my spring boot error controller
2. use @EnableWebSecurity annotation only once in your code, if you want to disable csrf, do it there or enable it (use token repo and send token from UI to the server when requesting)
3. enable security logs to see more in logs

logging.level.org.springframework.security=DEBUG