100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is CORS?

Learn what CORS is — the same-origin policy, allow-origin headers and the preflight request — with examples and web development interview questions answered.

mediumQ3 of 224 in Web Development Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that lets a server explicitly permit web pages from one origin to make requests to a different origin, relaxing the same-origin policy through a set of HTTP response headers.

By default the browser’s same-origin policy blocks a page on origin A from reading responses from origin B (a different scheme, host, or port). CORS lets the server opt in by returning headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. For requests that can change data or use non-simple headers, the browser first sends a preflight OPTIONS request to ask permission, and only proceeds if the response approves it. Crucially, CORS is enforced by the browser — it does not protect the server itself, and non-browser clients ignore it.

  • Lets servers safely share resources with approved origins
  • Keeps the same-origin policy protecting users by default
  • Fine-grained control via allowed origins, methods and headers
  • Preflight checks guard state-changing cross-origin requests

AI Mentor Explanation

CORS is like a members’ pavilion that only admits visitors from clubs on its approved list. By default the gatekeeper (the browser) turns away anyone from another ground — the same-origin rule. To let a specific away club in, the pavilion posts an approval notice naming that club, and for anything beyond a simple look-around the visitor must first ask at the door (the preflight) and be cleared. The host decides who is allowed; the gate enforces it.

Step-by-Step Explanation

  1. Step 1

    Same-origin by default

    The browser blocks a page from reading responses from a different scheme, host, or port.

  2. Step 2

    Server opts in

    Return Access-Control-Allow-Origin (and Methods/Headers) naming the permitted origins.

  3. Step 3

    Preflight for risky requests

    Non-simple requests trigger an OPTIONS preflight the server must approve first.

  4. Step 4

    Browser enforces

    If headers approve, the browser exposes the response; otherwise it blocks reading it.

What Interviewer Expects

  • CORS relaxes the browser same-origin policy via response headers
  • What defines an origin: scheme + host + port
  • The preflight OPTIONS request and when it fires
  • That CORS is browser-enforced, not server protection

Common Mistakes

  • Thinking CORS protects the server rather than the browser user
  • Using Access-Control-Allow-Origin: * together with credentials
  • Confusing CORS blocking with the server rejecting the request
  • Forgetting the preflight needs the OPTIONS method allowed

Best Answer (HR Friendly)

CORS is a browser rule that decides whether a web page from one site is allowed to fetch data from another site. By default the browser blocks this, and the other site has to say yes by sending special headers. It protects users, and it is checked by the browser — not something that secures the server itself.

Code Example

Preflight and the CORS response headers
OPTIONS /api/orders            (browser preflight)
Origin: https://app.example.com
Access-Control-Request-Method: POST

HTTP/1.1 204 No Content        (server approves)
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization

Follow-up Questions

  • What is the same-origin policy and why does it exist?
  • When does a request trigger a CORS preflight?
  • Why can’t you use a wildcard origin with credentialed requests?
  • How is CORS different from CSRF protection?

MCQ Practice

1. CORS is enforced by?

CORS is a browser mechanism; non-browser clients ignore it entirely.

2. Which header tells the browser which origin may read a response?

Access-Control-Allow-Origin names the origin(s) permitted to read the response.

3. A CORS preflight uses which HTTP method?

The browser sends an OPTIONS request to ask permission before the real request.

Flash Cards

What does CORS stand for?Cross-Origin Resource Sharing — controlled relaxation of the same-origin policy.

What defines an origin?The combination of scheme, host, and port.

What is a preflight?An OPTIONS request the browser sends to ask the server’s permission before a risky request.

Who enforces CORS?The browser — it does not protect the server, and non-browser clients ignore it.

1 / 4

Continue Learning