CORS Explained
Complete guide to Cross-Origin Resource Sharing — how it works, every header explained, and common errors with fixes.
Overview
What is CORS?
Cross-Origin Resource Sharing (CORS) is an HTTP-header-based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Browsers enforce the Same-Origin Policy by default, which blocks web pages from making requests to a different origin than the one that served the page.
The Same-Origin Policy
Two URLs have the same origin if they share the same scheme (http/https), host, and port. For example, https://app.example.com and https://api.example.com are different origins because the host differs. The Same-Origin Policy prevents a malicious site from reading sensitive data from another site — CORS is the mechanism that relaxes this restriction in a controlled way.
Simple Requests vs. Preflight
A "simple request" uses GET, HEAD, or POST with only CORS-safelisted headers and does not trigger a preflight. All other cross-origin requests — those using methods like PUT or DELETE, or including headers like Authorization — trigger a preflight: the browser first sends an OPTIONS request to ask the server for permission before sending the actual request.
How CORS Works
Simple Request
Origin: https://app.example.com
Access-Control-Allow-Origin: *
Preflight Request
Access-Control-Request-Method: DELETE
Access-Control-Allow-Methods: DELETE
Origin: https://app.example.com
CORS Headers
Common Errors
Related Guides
HTTP Status Codes
Complete reference of all HTTP status codes with descriptions and examples.
BrowseHTTP Headers
Common HTTP headers explained with syntax, examples, and common values.
BrowseHTTP Methods
Complete guide to HTTP request methods with comparison tables and examples.
BrowseMIME Types
Complete reference of common MIME types with file extensions, categories, and usage examples.
Browse