I just got a report from a "security scanning" of my web application based on Spring and this report states that OPTIONS working like this allow for probing the API for allowed methods on an endpoint which makes the like of an attacker easier. Moreover, it is not possible to block such attacker on a firewall (WAF) when he/she probes endpoints like this, since the response is correct (HTTP 200). So I guess my point is that this feature should be easily turned off in application.properties or something. I found the key:
is causing the responses being misleading by containing all HTTP methods in the response instead of the actual ones mapped in controllers.
Please refrain from commenting on 2 year old tickets. Once a release is shipped, tickets are closed, and will never be re-opened. You need to create a new ticket. Keep in mind the advice from your security tools is far from clear and debatable at best. As for the option that you're pointing out that's in Spring Boot (a separate project) with its own issue tracker.