An application deployed using Spring Cloud Gateway may experience 403 Forbidden errors. In the logs you will see the following:

2026-03-06T15:46:21.301290732Z] "OPTIONS /cloudfoundryapplication HTTP/2.0" 403 0 20 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" "10.175.21.249:61974" "10.49.57.108:61076" x_forwarded_for:"10.175.21.249" x_forwarded_proto:"https" vcap_request_id:"d6b43d06-####-####-####-84ea9b7d618c" response_time:0.023140 gorouter_time:0.000396 app_id:"4e967698-####-####-####-08b1c3799505" app_index:"2" instance_id:"4d7b8cab-####-####-####-####" x_cf_routererror:"-" x_b3_traceid:"d6b43d0638d0472b5eee84ea9b7d618c" x_b3_spanid:"5eee84ea9b7d618c" x_b3_parentspanid:"-" b3:"d6b43d0638d0472b5eee84ea9b7d618c-5eee84ea9b7d618c"

Spring Cloud Gateway v2.4.1

The application uses a CorsFilter bean gated by a conditional property:

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
@ConditionalOnProperty(value = "dev.disableCors", havingValue = "true")
class CorsConfigurationSource {
    @Bean
    public CorsFilter corsFilter() {
        final var source = new UrlBasedCorsConfigurationSource();
        final var config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("http://localhost:4200");
        config.setAllowedMethods(List.of(
            HttpMethod.GET.name(),
            HttpMethod.PUT.name(),
            HttpMethod.POST.name(),
            HttpMethod.OPTIONS.name(),
            HttpMethod.DELETE.name()
        ));
        ...
    }
}

A configuration refresh changed the dev.disableCors variable. This caused the @ConditionalOnProperty condition to prevent the CorsFilter bean from loading entirely.

Spring Security's default behavior blocked all browser CORS preflight OPTIONS requests with 403 Forbidden before they could reach the backend.

Set the property value to False and restage the application.

value = "dev.disableCors", havingValue = "false")