CORS
CORS is a browser security mechanism that uses HTTP headers to let servers permit web pages from other origins to access their resources.
CORS, Cross-Origin Resource Sharing, is a security feature implemented by web browsers. It governs whether a web page loaded from one origin may make requests to a different origin, and uses HTTP headers to let servers grant that permission selectively.
How It Works
Browsers enforce the same-origin policy, which by default blocks scripts on one origin (a scheme, host, and port) from reading responses from another. CORS relaxes this in a controlled way. When a page makes a cross-origin request, the browser checks the server's response for headers such as Access-Control-Allow-Origin. If the server's value matches the requesting origin, the browser allows the script to read the response; otherwise it blocks access.
For requests that can change state or use non-simple headers, the browser first sends a preflight OPTIONS request asking what the server permits. The server replies with the allowed origins, methods, and headers, and only then does the browser send the real request. Credentials like cookies require additional explicit opt-in.
Why It Matters
CORS lets modern web apps safely consume APIs hosted on other domains, which is essential for single-page applications, third-party APIs, and microservice front ends. Without it, the same-origin policy would block almost all cross-domain calls.
A crucial point is that CORS is enforced by the browser, not the server, and it protects users, not the API. It is not an authentication or authorization mechanism. Misconfiguring it, for example reflecting any origin while allowing credentials, can expose users to attacks, so allowed origins should be specified deliberately.
Related Terms
CORS governs browser access to REST APIs, is configured at servers and API gateways, and operates alongside TLS and JSON in web requests.