CORS Explained

Control which web origins can access your API — the browser security mechanism that enables legitimate cross-origin requests while blocking unauthorized access.

CORS (Cross-Origin Resource Sharing)

CORS is a browser security mechanism that controls which web origins can access resources on a server, using HTTP headers to relax the same-origin policy for legitimate cross-origin requests.

Explanation

Browsers enforce the same-origin policy: JavaScript on one origin (domain + port + protocol) cannot access resources on a different origin. CORS relaxes this restriction using HTTP headers. The server sets Access-Control-Allow-Origin to specify which origins can access its API. For complex requests, browsers send a preflight OPTIONS request to check permissions before the actual request. CORS headers also control which HTTP methods, headers, and credentials are allowed. Misconfigured CORS (allowing all origins with credentials) creates security vulnerabilities. Properly configured CORS enables legitimate frontend-backend communication across origins while maintaining security.

Bookuvai Implementation

Bookuvai configures CORS precisely for every API: allowing only the specific frontend origins that need access, limiting allowed methods and headers, and properly handling credentials. We test CORS configuration in CI and audit it during security reviews.

Key Facts

  • Browser mechanism that controls cross-origin resource access
  • Uses HTTP headers like Access-Control-Allow-Origin
  • Preflight OPTIONS requests check permissions for complex requests
  • Misconfigured CORS (wildcard with credentials) creates vulnerabilities
  • Required when frontend and backend are on different origins

Related Terms

Frequently Asked Questions

Why does CORS only affect browsers?
CORS is enforced by browsers as part of the same-origin policy. Server-to-server requests, mobile apps, and CLI tools do not enforce CORS. This is why the same API works from Postman but fails from a browser.
What is a preflight request?
A preflight is an automatic OPTIONS request the browser sends before certain cross-origin requests (non-simple methods, custom headers, credentials). The server responds with allowed methods, headers, and origins. The browser only proceeds if the preflight succeeds.
Is Access-Control-Allow-Origin: * safe?
Wildcard (*) is safe for public APIs that do not use credentials. But you cannot combine * with credentials (cookies, auth headers). For APIs requiring authentication, specify exact allowed origins instead of wildcard.