sajad torkamani

In a nutshell

Cross-Origin Resource Sharing (CORS) is an HTTP mechanism that allows origin servers to grant scripts from other origins access to resources that are otherwise restricted by the same-origin policy.

For example, the same-origin policy of browsers prevents a script from the origin to access the response from the By configuring the server at to respond with certain CORS headers, we can allow scripts from access.

CORS headers


Only allow requests from a whitelist of origins.



Only allow a subset of HTTP methods.

Access-Control-Allow-Methods: POST, GET, OPTIONS


Only allow a subset of HTTP headers.

Access-Control-Allow-Headers: X-PINGOTHER, Content-Type


Determine how long the response to a pre-flight request can be cached by the client before requiring them to sending another preflight request.

Access-Control-Max-Age: 86400


Leave a comment

Your email address will not be published. Required fields are marked *