CORS (Cross-Origin Resource Sharing) is a critical browser security mechanism that extends the Same-Origin Policy to allow controlled cross-domain communication. The guide covers how browsers and servers negotiate cross-origin access via HTTP headers, the difference between simple and preflight requests, how to handle credentialed requests safely, and common misconfigurations to avoid — including using wildcards with credentials, forgetting OPTIONS preflight handling, misaligned headers, and caching issues. Key takeaway: CORS is enforced by the browser, not the server, and understanding the protocol prevents endless debugging cycles.
Table of contents
What Is CORS (and Why It Exists)Understanding the Same-Origin Policy (SOP)Why SOP Alone Wasn’t EnoughHow CORS Works: The Protocol-Level FlowTypes of CORS RequestsHandling Credentials in CORSHow Browsers Determine What Requests Are CORS-EligibleInternal Security Checks, XMLHttpRequest vs Fetch, and Browser DifferencesServer-Side Handling of the Origin HeaderCommon CORS Misconfigurations (and How to Avoid Them)CORS Isn’t the Enemy, Misunderstanding It IsSort: