CORS

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which web pages can make requests to different domains, selectively relaxing the Same-Origin Policy that otherwise blocks cross-domain API calls.

The Same-Origin Policy is a critical security feature: without it, malicious websites could make authenticated requests to your bank's API using your logged-in session cookies. com, or a third-party widget needs to fetch data from its server. CORS solves this through HTTP headers. When a browser makes a cross-origin request, it includes an Origin header identifying the requesting page.

The server responds with Access-Control-Allow-Origin specifying which origins may access the response. If the requesting origin matches, the browser allows the response; otherwise it blocks it. Complex requests (non-GET, custom headers, credentials) trigger a preflight OPTIONS request: the browser asks the server what's allowed before sending the actual request.

The server responds with allowed methods, headers, and whether credentials are permitted. CORS is server-controlled, the server decides who can call it. Misconfigured CORS is a common security vulnerability: allowing any origin (Access-Control-Allow-Origin: *) with credentials exposes authenticated endpoints.

Understanding CORS prevents frustrating debugging sessions when API calls inexplicably fail in browsers but work in Postman.