What is Cross-Origin Resource Sharing (CORS)?

Cross-Origin Resource Sharing (CORS) is a security feature implemented in web browsers to allow or restrict requested resources on a web server depending on where the HTTP request was initiated. This mechanism provides a way for web servers to control how their resources are shared by external web pages by using specific HTTP headers to inform the browser about the domains that are permitted to access those resources.

When a web application uses resources (like fonts, images, or scripts) across different origins (a combination of the protocol, domain, and port), the browser’s same-origin policy blocks the resources from loading for security reasons. CORS comes into play to overcome these restrictions by enabling web servers to specify which origins are allowed to access the resources.

Here’s how it works:

1. Pre-flight Request: In many cases, especially with requests that can modify server data, the browser sends a preliminary “pre-flight” request to the server hosting the cross-origin resource, to check if the server would allow the actual request. This is done using the HTTP `OPTIONS` method.

2. CORS Headers: The server responds with specific CORS headers like `Access-Control-Allow-Origin` to indicate which origin sites are allowed. If the origin of the site that made the request is in the list of allowed origins, the browser will permit the request.

3. Actual Request: If the pre-flight checks pass, the actual request is sent to the server, and the requested resource is shared with the requesting site.

CORS headers include