CORS Explained — A Complete Guide for Web Developers

CORS (Cross-Origin Resource Sharing) is one of the most misunderstood parts of modern web development, yet it plays a critical role in web security.

In this guide, you’ll learn what CORS is, why it exists, how it works behind the scenes, and how to configure it correctly in real-world applications.

What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which websites are allowed to access resources from another origin.

An origin consists of:

1. protocol (https)
2. domain (example.com)
3. port (443)

If any of these differ, the request is considered cross-origin.

CORS allows servers to explicitly say:

“Yes, this origin is allowed to access my resources.”

Why CORS Exists

CORS exists to protect users from malicious websites.

Without CORS, a harmful site could:

1. read private API responses
2. perform actions on behalf of a logged-in user
3. steal sensitive data using JavaScript

CORS is enforced by the browser, not the server.

Same-Origin Policy Explained

Before CORS, browsers introduced the Same-Origin Policy (SOP).

The rule is simple:

A webpage can only read responses from the same origin it was loaded from.

CORS is an extension of this rule — it provides a controlled way to relax SOP when needed.

How CORS Works

CORS is based on HTTP request and response headers.

1. The browser sends a request with an Origin header:

1. The server responds with CORS headers:

1. The browser checks the headers.
2. If allowed, the response is accessible to JavaScript.

If not — the request is blocked by the browser, even if the server returned valid data.

Preflight Requests (OPTIONS)

Some requests are considered “non-simple” and require a preflight request.

Examples:

1. POST with JSON
2. custom headers
3. PUT, DELETE, PATCH

The browser first sends an OPTIONS request:

The server must respond with permission headers before the actual request is sent.

CORS Headers Explained

Common CORS headers include:

Important rules:

1. * cannot be used with Allow-Credentials: true
2. Headers must match exactly what the browser requests

CORS in JavaScript (Frontend)

If CORS is misconfigured, this request will fail before JavaScript receives any data.

CORS in Backend APIs (PHP Example)

This configuration allows controlled cross-origin access.

Common CORS Issues

1. Missing Access-Control-Allow-Origin
2. Mismatch between requested and allowed headers
3. Using * with credentials
4. Forgetting to handle OPTIONS requests
5. Assuming CORS is a backend-only problem

FAQ

Is CORS a security feature?

Yes — it protects users by preventing unauthorized cross-origin access in browsers.

Does CORS affect server-to-server requests?

No. CORS is enforced only by browsers.

Can I disable CORS?

You can’t disable it in browsers — only configure your server correctly.

Why does Postman work but the browser doesn’t?

Postman doesn’t enforce CORS. Browsers do.

Is CORS the same as CSRF?

No. They solve different security problems.

Conclusion

CORS is not a bug — it’s a critical security feature.

Once you understand how origins, headers, and preflight requests work, CORS stops being frustrating and becomes predictable.

Correct CORS configuration is essential for modern APIs, SPAs, and microservices.