CORS

Security

Overview

CORS (Cross-Origin Resource Sharing) is the standard by which a server uses specific headers to say 'JavaScript from this origin is allowed to read my response,' letting the browser relax the Same-Origin Policy.

The key point is that CORS is browser-enforced, not a server-side security mechanism — the browser is the party that decides whether the response may be read.

Details

How it works: the browser attaches an `Origin` header to a cross-origin request, and the server replies with `Access-Control-Allow-Origin` naming the permitted origin. Only if that value matches the request origin does the browser hand the response to JavaScript. To send credentials (cookies), the request must opt in and the server must return `Access-Control-Allow-Credentials: true` — and in that case the wildcard `*` is not allowed for `Allow-Origin`.

Two common misconceptions: (1) CORS does not protect your server — curl, server-to-server calls, and mobile apps ignore CORS entirely and can call your API freely. CORS only governs whether cross-origin JavaScript in a browser may read the response. (2) A 'CORS error' usually means the response actually arrived but the browser blocked JS from reading it, not that the request failed. Complex requests first confirm permission via a preflight (OPTIONS) before the real request is sent.

Related types