Can we use CrossOrigin * (wildcard) in production

what is the difference when you use a specific cross origin and when you put * ?

for example

@CrossOrigin(origins = localhost:8080) or 

@CrossOrigin(origins = "*") 

does it have any security issue if it is * ?

The CrossOrigin was introduced to prevent background requests from untrusted websites.

Immagine the scenario:

• You are browsing on: malicious.example.com
• The website sends a background HTTP request to "DELETE http://facebook.com/my-account" to delete your account silently

You would be pretty mad if that could happen right?

That's the main reason for CORS. It prevents XHR request from non "trusted" origins. I'd encourage you to use CORS when you can to prevent such disasters to happen.

This is a simplified version, the server might also need to enable cookies and headers, and so for the Facebook DELETE to work, but... You got the idea