100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Web

CORS

IntermediateConcept6.8K learners

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether a web page running on one origin is allowed to make requests to a server on a different origin.

Definition

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls whether a web page running on one origin is allowed to make requests to a server on a different origin.

Overview

By default, browsers enforce the same-origin policy: JavaScript running on `https://app.example.com` cannot freely read responses from `https://api.other.com` unless that server explicitly allows it. CORS is the standardized set of HTTP headers that lets a server opt into cross-origin access in a controlled way, rather than either blocking everything or allowing everything. For simple requests, the browser sends the request and checks whether the response includes an `Access-Control-Allow-Origin` header matching the calling origin. For requests that aren't "simple" — using methods like PUT or DELETE, custom headers, or content types like `application/json` — the browser first sends a preflight OPTIONS request asking the server what's allowed, and only proceeds with the real request if the server responds with matching `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers`. When a request needs to include cookies or authentication, the server must also explicitly set `Access-Control-Allow-Credentials: true`, and cannot combine it with a wildcard origin. CORS is purely a browser-enforced protection — it does nothing to stop server-to-server requests or tools like curl, and misconfiguring it (for example, echoing back any origin with credentials enabled) can create real security holes. Getting CORS right is a routine part of building a REST API that's consumed by a separately hosted frontend, and it interacts closely with how session management and cookies behave across origins. It is often mentioned alongside Cookie in this space.

Key Concepts

  • Enforced by browsers, not servers — it does not block non-browser HTTP clients
  • Governed by response headers like Access-Control-Allow-Origin and -Methods
  • Preflight OPTIONS requests check permissions before "non-simple" cross-origin calls
  • Access-Control-Allow-Credentials is required to send cookies cross-origin
  • Wildcard origins (*) cannot be combined with credentialed requests
  • Misconfigured CORS can inadvertently expose sensitive endpoints to any origin
  • Distinct from CSRF protection, though the two are frequently discussed together

Use Cases

Allowing a frontend hosted on one domain to call an API hosted on another
Enabling third-party widgets or SDKs to call a company's public API from browsers
Restricting which domains can embed or consume a company's internal API
Debugging why a browser blocks a fetch/XHR request that works fine via curl
Supporting local development where the frontend and backend run on different ports

Frequently Asked Questions