When I stumbled across this issue it was because of failing tests when I switched from Spring Boot's autoconfiguration to a manually configured Spring Security Configuration. The Spring Boot had CSRF default to false, but Spring security was enabling it by default, so my tests initially failed ...
8180/mancenter # CORS is only enabled by default with the "dev" profile, so BrowserSync can access the API cors: allowed-origins: '*' allowed-methods: '*' allowed-headers: '*' exposed-headers: 'Authorization,Link,X-Total-Count' allow-credentials: true max-age: 1800 security: client-...