Glossary · Definition
CORS
CORS (Cross-Origin Resource Sharing) is a browser mechanism that lets a server explicitly opt in to cross-origin requests. The same-origin policy blocks fetches across origins by default; CORS headers (Access-Control-Allow-Origin, etc.) tell the browser to make exceptions.
Definition
CORS (Cross-Origin Resource Sharing) is a browser mechanism that lets a server explicitly opt in to cross-origin requests. The same-origin policy blocks fetches across origins by default; CORS headers (Access-Control-Allow-Origin, etc.) tell the browser to make exceptions.
What it means
When your JS at `https://app.com` calls `https://api.com/data`, the browser sees a cross-origin fetch and consults CORS. For 'simple' requests (GET/HEAD/POST with safe headers and content-types) the browser sends the request and only delivers the response to your code if the response carries `Access-Control-Allow-Origin: https://app.com` (or `*`). For 'non-simple' requests (custom headers, methods like DELETE/PUT, JSON content-type), the browser first sends an OPTIONS preflight asking 'are you OK with this?'. The server must reply with allow-origin, allow-methods, allow-headers — only then does the actual request go.
Advertisement
Why it matters
CORS is the most-misunderstood error in web development. 'CORS error' usually means the SERVER hasn't configured CORS, not that the CLIENT has done something wrong — there's no client-side fix. Common pitfalls: setting `Access-Control-Allow-Origin: *` AND `Allow-Credentials: true` (forbidden combination), forgetting to handle OPTIONS preflight, mismatched origins (with vs without `www`), and assuming a server-side change to CORS headers needs a deploy when actually a CDN may be caching the old response.
Frequently asked questions
Why do I get a CORS error in fetch but not in curl?
CORS only exists in browsers. curl, Postman, and server-to-server requests bypass it entirely — the same-origin policy is browser security, not a network rule.
How do I 'fix' CORS on the client?
You can't, in production. The server you're calling must add the right Access-Control-Allow-Origin. In development, a dev-proxy (Vite, Next.js rewrites) can route browser requests through your own origin, or extensions like CORS Unblock can disable the policy locally.
Is CORS a security feature?
It enforces same-origin by default. It does NOT protect the SERVER from a malicious client — anyone can call your API from curl. CORS is about preventing rogue JS in another tab from reading your authenticated responses.
Related terms
- DefinitionXSSXSS (Cross-Site Scripting) is a vulnerability where attacker-controlled JavaScript runs in another user's browser, in the context of your site — same domain, same cookies, same localStorage. Result: session theft, data exfiltration, or arbitrary actions taken as the user.
- DefinitionCSRFCSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into making an authenticated request your server can't distinguish from a real one. The attacker doesn't need to read responses — they just need the request to fire and have side effects.
- DefinitionHTTPSHTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.