sajad torkamani

What is CORS?

11 March 2022 (Updated 23 March 2023)
On this page
In a nutshell
CORS headers
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Access-Control-Max-Age
Sources

In a nutshell

Cross-Origin Resource Sharing (CORS) is an HTTP mechanism that allows origin servers to grant scripts from other origins access to resources that are otherwise restricted by the same-origin policy.

For example, the same-origin policy of browsers prevents a script from the origin https://foo.com to access the response from the https://example.com. By configuring the server at https://example.com to respond with certain CORS headers, we can allow scripts from https://foo.com access.

CORS headers

Access-Control-Allow-Origin

Only allow requests from a whitelist of origins.

Access-Control-Allow-Origin: https://example.com

Access-Control-Allow-Methods

Only allow a subset of HTTP methods.

Access-Control-Allow-Methods: POST, GET, OPTIONS

Access-Control-Allow-Headers

Only allow a subset of HTTP headers.

Access-Control-Allow-Headers: X-PINGOTHER, Content-Type

Access-Control-Max-Age

Determine how long the response to a pre-flight request can be cached by the client before requiring them to sending another preflight request.

Access-Control-Max-Age: 86400

Sources

Tagged: HTTP Web security