CORS is a security feature implemented by browsers that restricts web pages from making requests to a different domain than the one serving the page, unless explicitly allowed.
Why it matters
- Prevents malicious websites from reading sensitive data from other sites you're logged into.
- Misconfigured CORS can expose your API to unauthorized access.
- Common source of developer frustration when integrating APIs.
- Critical for Single Page Applications (SPAs) that call backend APIs.
How CORS works
- Browser sends a request with an Origin header.
- Server responds with Access-Control-Allow-Origin header.
- Browser checks if the origin is allowed.
- If allowed, browser permits the response; if not, it blocks it.
Key CORS headers
- Access-Control-Allow-Origin: Specifies allowed origins (or * for any).
- Access-Control-Allow-Methods: HTTP methods allowed (GET, POST, etc.).
- Access-Control-Allow-Headers: Custom headers the client can send.
- Access-Control-Allow-Credentials: Whether cookies/auth can be sent.
- Access-Control-Max-Age: How long preflight results can be cached.
Preflight requests For "non-simple" requests (methods other than GET/POST, custom headers), browsers first send an OPTIONS request to check if the actual request is allowed.
Common misconfigurations
- Using Access-Control-Allow-Origin: * with credentials (not allowed).
- Reflecting the Origin header without validation (security vulnerability).
- Allowing all origins in production (defeats the purpose).
- Not handling preflight OPTIONS requests.
Secure configuration
- Whitelist specific trusted origins.
- Never use wildcard with credentials.
- Validate origins against an allowlist server-side.
- Set appropriate Access-Control-Max-Age to reduce preflight requests.
Related Articles
View all articlesCORS Security Guide: Preventing Cross-Origin Attacks and
Learn how to implement secure CORS policies, avoid common misconfigurations like wildcard origins and origin reflection, and protect your APIs from cross-origin attacks.
Read article →Vulnerability Management & Patch Prioritization Workflow
Master the complete vulnerability management lifecycle with risk-based patch prioritization. From discovery to remediation, learn how to protect your infrastructure before attackers strike.
Read article →Penetration Testing Methodology Workflow | Complete Pentest
Master the complete penetration testing lifecycle from pre-engagement to remediation validation. Learn PTES framework, ethical hacking methodology, vulnerability exploitation, and post-exploitation techniques with practical tools and industry best practices.
Read article →Webhook Security Implementation Workflow
Master the complete webhook security implementation workflow used by backend engineers and API developers. This comprehensive guide covers HMAC signature validation, replay attack prevention, IP allowlisting, payload sanitization, and error handling aligned to OWASP API Security Top 10 2023.
Read article →Explore More Web Security
View all termsCross-Site Request Forgery (CSRF)
An attack that tricks a victim into submitting unauthorized requests using their authenticated session.
Read more →Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Read more →HTML Entity Encoding
A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.
Read more →HTTP Cookie
Small pieces of data stored by web browsers, used for session management, personalization, and tracking.
Read more →HTTP Security Headers
Response headers that enable browser security protections against common web attacks.
Read more →JSON Web Token (JWT)
A compact, URL-safe token format used to securely transmit claims between parties in web applications.
Read more →