What is CORS

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts which domains can make HTTP requests to a server. By default, browsers block JavaScript from making requests to a different origin (domain, protocol, or port) than the page it runs on — the same-origin policy.

How it works

When JavaScript on app.example.com makes a request to api.example.com, the browser first checks whether the server allows cross-origin requests. For simple requests (GET with standard headers), the browser sends the request and checks the Access-Control-Allow-Origin response header. If the header includes the requesting origin, the browser allows the response.

For non-simple requests (PUT, DELETE, custom headers, JSON body), the browser sends a preflight request — an OPTIONS request asking the server what's allowed. The server responds with allowed origins, methods, and headers. Only if the preflight succeeds does the browser send the actual request.

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

Why it matters

CORS prevents malicious websites from making requests to APIs on behalf of your users (cross-site request forgery via JavaScript). It only applies to browsers — server-to-server requests, curl, and mobile apps are not affected. CORS configuration errors are one of the most common API integration issues: either too restrictive (blocking legitimate clients) or too permissive (Allow-Origin: * with credentials).

See How REST Works for how CORS interacts with REST API design.

This concept appears in

How REST Works — Resources, Verbs, and Statelessness

What is CORS

How it works

Why it matters

Related

This concept appears in

Referenced by