CORS (Cross-Origin Resource Sharing)
What is CORS (Cross-Origin Resource Sharing)?
CORS (Cross-Origin Resource Sharing)A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
CORS is implemented by HTTP response headers such as 'Access-Control-Allow-Origin', 'Access-Control-Allow-Methods', 'Access-Control-Allow-Headers' and 'Access-Control-Allow-Credentials'. For requests that are not 'simple' the browser sends an 'OPTIONS' preflight, and only proceeds if the server explicitly allows the origin and method. CORS does not protect a server — anyone can still call the API directly — it only controls which origins are permitted to read the response inside a browser. Misconfigurations such as reflecting the 'Origin' header with credentials, using wildcard '*' with cookies, or trusting null origins commonly lead to data leakage and account takeover; a strict per-route allow-list is the safe default.
● Examples
- 01
API responds with 'Access-Control-Allow-Origin: https://app.example.com' and 'Access-Control-Allow-Credentials: true' only for that origin.
- 02
Misconfigured server reflects any Origin and allows credentials, enabling cross-site data theft.
● Frequently asked questions
What is CORS (Cross-Origin Resource Sharing)?
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another. It belongs to the Application Security category of cybersecurity.
What does CORS (Cross-Origin Resource Sharing) mean?
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
How do you defend against CORS (Cross-Origin Resource Sharing)?
Defences for CORS (Cross-Origin Resource Sharing) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CORS (Cross-Origin Resource Sharing)?
Common alternative names include: Cross-Origin Resource Sharing.