CORS headers

What the RFC says

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. (Fetch Standard §3.1) — Fetch Standard (WHATWG), RFC 6454 (Origin)

Example

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400  # cache preflight for 1 day
Access-Control-Expose-Headers: X-Custom-Header

Real-world implementations

• Public APIs (Stripe, GitHub): `Access-Control-Allow-Origin: *` for read endpoints, specific origins for credentialed endpoints.
• Preflight: browser sends `OPTIONS` with `Origin` and `Access-Control-Request-Method` before the actual request — server must respond 200 + headers.
• Cloudflare's CORS rules let you whitelist origins server-side without backend changes.

Common misuses (don't do this)

• WARNING: `Access-Control-Allow-Origin: *` + `Access-Control-Allow-Credentials: true` is INVALID. Browsers reject this combo. Use specific origins with credentials.
• Forgetting to handle OPTIONS preflight — preflight returns 401/403, real request never fires.
• Echoing client's `Origin` header without validating — opens up trusted-origin bypass. Keep an allowlist.

Use cases

• SPA + API on different origins
• Public API design
• Cross-origin authentication flows
• Microservice-to-microservice via browser proxy

Related HTTP topics

401 vs 403: which one to return · 401 vs 403: which one to return · 401 vs 403: which one to return · 401 vs 403: which one to return · ↗ verifying cross-origin domain DNS