What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser security feature that controls whether a web page on one origin can make requests to a different origin. By default the browser blocks cross-origin requests; the server must opt in with specific response headers.
The key header is Access-Control-Allow-Origin. For some requests the browser first sends a "preflight" OPTIONS request to check permissions.
Key points
- Enforced by the browser, configured by the server.
- Controlled mainly via the Access-Control-Allow-Origin header.
- Some requests trigger a preflight OPTIONS check.
- A CORS error is a browser block, not a server crash.
Example
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST
Common uses
- Allowing a frontend to call an API on another domain
- Exposing a public API to browser clients
- Restricting which origins may use your API
- Debugging "blocked by CORS policy" errors