From 96586993a34f67b59308241d527b195b6d780982 Mon Sep 17 00:00:00 2001
From: Daniel Garnier-Moiroux <git@garnier.wf>
Date: Thu, 30 Oct 2025 15:20:24 +0100
Subject: [PATCH] Docs: document effects of disabling CORS configurer

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
---
 docs/modules/ROOT/pages/reactive/integrations/cors.adoc | 9 ++++++++-
 docs/modules/ROOT/pages/servlet/integrations/cors.adoc  | 8 ++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/docs/modules/ROOT/pages/reactive/integrations/cors.adoc b/docs/modules/ROOT/pages/reactive/integrations/cors.adoc
index 84b3a6faf05..b382ecc8142 100644
--- a/docs/modules/ROOT/pages/reactive/integrations/cors.adoc
+++ b/docs/modules/ROOT/pages/reactive/integrations/cors.adoc
@@ -1,4 +1,3 @@
-
 [[webflux-cors]]
 = CORS
 
@@ -75,3 +74,11 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
 }
 ----
 ======
+
+[WARNING]
+====
+CORS is a browser-based security feature.
+By disabling CORS in Spring Security, you are not removing CORS protection from your browser.
+Instead, you are removing CORS support from Spring Security, and users will not be able to interact with your Spring backend from a cross-origin browser application.
+To fix CORS errors in your application, you must enable CORS support, and provide an appropriate configuration source.
+====
diff --git a/docs/modules/ROOT/pages/servlet/integrations/cors.adoc b/docs/modules/ROOT/pages/servlet/integrations/cors.adoc
index 34bf7003cca..2dec417c55e 100644
--- a/docs/modules/ROOT/pages/servlet/integrations/cors.adoc
+++ b/docs/modules/ROOT/pages/servlet/integrations/cors.adoc
@@ -183,3 +183,11 @@ fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
 }
 ----
 ======
+
+[WARNING]
+====
+CORS is a browser-based security feature.
+By disabling CORS in Spring Security with `.cors(CorsConfigurer::disable)`, you are not removing CORS protection from your browser.
+Instead, you are removing CORS support from Spring Security, and users will not be able to interact with your Spring backend from a cross-origin browser application.
+To fix CORS errors in your application, you must enable CORS support, and provide an appropriate configuration source.
+====