Question 1

What is CORS and why do browsers enforce it?

Accepted Answer

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. Browsers enforce it to prevent malicious scripts from silently reading sensitive data from other sites using the user's credentials.

Question 2

What does Access-Control-Allow-Origin: * mean and when is it safe?

Accepted Answer

The wildcard * allows any origin to read the response. It's safe for public APIs with no authentication and no sensitive data. Never use * with Access-Control-Allow-Credentials: true — browsers will refuse the combination because it would expose authenticated resources to any website.

Question 3

What is a preflight request?

Accepted Answer

A preflight is an automatic OPTIONS request that browsers send before certain cross-origin requests (non-simple methods like PUT, DELETE, or requests with custom headers). The server must respond with the appropriate CORS headers to approve the actual request. The Access-Control-Max-Age header caches the preflight result to reduce round-trips.

Question 4

Why aren't my CORS headers working in production?

Accepted Answer

Common causes: (1) The server framework has CORS disabled or overriding your headers. (2) You forgot to handle OPTIONS preflight requests — they need a 200/204 response with CORS headers. (3) You're using a CDN that strips custom headers. (4) The origin in your request doesn't exactly match the allowed origin (including protocol and port).

Question 5

Can I set multiple allowed origins?

Accepted Answer

The Access-Control-Allow-Origin header can only hold one value at a time. To support multiple origins, dynamically check the request's Origin header against a whitelist on the server and echo back the matched origin, or return * if no specific matching is needed.

CORS Header Generator

Frequently Asked Questions

Code Implementation

Comments & Feedback