Skip to main content
devinsta — design and development agency
Free consult
Web Development

CORSCross-Origin Resource Sharing

A browser security mechanism that controls which origins are allowed to read responses from your API, enforced via HTTP headers.

· Reviewed by senior engineers

CORS (Cross-Origin Resource Sharing) is the browser mechanism that decides whether JavaScript on one origin (https://a.example) can read a response from another origin (https://api.example). By default, browsers block it. Your server opts in by returning headers — Access-Control-Allow-Origin, Allow-Methods, Allow-Headers, Allow-Credentials — that describe what is permitted.

CORS exists to stop a malicious page from quietly reading your bank's API on your behalf using your logged-in cookies. The pre-flight OPTIONS request lets the browser confirm the server agrees before sending anything sensitive. CORS does not protect the server itself — anyone with curl can call your API — it protects users from cross-site script attacks via the browser.

The common pain points: setting Access-Control-Allow-Origin: * with credentials (forbidden), forgetting to handle the OPTIONS pre-flight, returning the wrong headers from a CDN edge cache, and trying to fix a CORS error in the front-end when only the server can. "It worked in Postman" almost always means the API is fine and the browser is rejecting the response.

Devinsta configures CORS as part of API design, not as an afterthought when the front-end breaks. Allow-lists of explicit origins, narrow methods, and credentials only where they are genuinely needed.

Related services

Related terms

← Back to glossary