CORS

 

What is CORS

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins (domains) are allowed to read responses from your server.

  • Origin = protocol + domain + port
    • https://app.comhttps://api.comhttp://app.com

Why CORS was developed

Browsers enforce the Same-Origin Policy (SOP):

  • A script from one origin cannot read data from another origin.

Problem SOP caused:

  • Legit frontend (app.com) couldn’t call backend (api.com) and read responses.

CORS solution:

  • Let the server explicitly whitelist trusted origins.

How CORS works

Simple request

Browser sends:

Origin: https://app.com

Server responds:

Access-Control-Allow-Origin: https://app.com

→ Browser allows frontend JS to read the response

Preflight request (for complex requests)

Browser first sends:

OPTIONS /api
Origin: https://app.com
Access-Control-Request-Method: POST

Server replies:

Access-Control-Allow-Origin: https://app.com
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Authorization

→ Then actual request is sent

What a “CORS error” means

When you see a CORS error:

  • Request DID reach the server
  • Server likely responded
  • But browser blocked access to response

So:

CORS is enforced by the browser, not the server

How CORS improves security

CORS prevents:

  • Malicious sites from reading sensitive responses

Example attack without CORS:

fetch("https://bank.com/account")
  .then(res => res.json())
  .then(data => sendToAttacker(data))

If cookies exist:

  • Request succeeds
  • Data returned
  • Attacker reads it

With CORS:

  • Request still goes
  • Browser blocks response access
  • Attacker gets nothing

Critical distinction (very important)

TopicPrevents
CORSReading responses
CSRFSending malicious requests

Key insight:

  • CORS does NOT stop the request
  • It only stops JavaScript from reading the response

Relationship with cookies

If server allows:

Access-Control-Allow-Credentials: true

Then:

  • Cookies can be sent cross-origin
  • Must restrict allowed origins strictly

When you get CORS errors in Spring

Usually means:

  • Backend didn’t allow your frontend origin
  • Missing headers like:
    • Access-Control-Allow-Origin
    • Access-Control-Allow-Headers

Why CORS is important for reliability

  • Prevents accidental data leakage
  • Forces explicit frontend-backend contracts
  • Avoids exposing APIs to unknown domains

Final mental model

  • SOP = “block everything cross-origin”
  • CORS = “allow only trusted origins”
  • CSRF = “protect against unwanted actions”

They solve different problems:

  • CORS → data exposure control
  • CSRF → request authenticity control




    CONCLUSION 
  • CORS (Cross-Origin Resource Sharing) is not what enables cross-origin requests themselves—browsers already allow sending requests to any domain—but it controls whether a browser allows JavaScript to read the response. By default, the browser enforces the Same-Origin Policy, meaning a script from app.com can send a request to api.com, but it cannot access the response data if the origins differ. CORS works by having the server explicitly include headers like Access-Control-Allow-Origin: https://app.com; when the browser sees this, it allows the frontend code on app.com to read the response from api.com. Without these headers, the request may still reach the server and even succeed, but the browser blocks the response and throws a CORS error. So CORS does not “allow communication” in general—it allows controlled sharing of response data between trusted origins, which is why it is required when frontend and backend are on different domains.

Comments

Post a Comment

Popular posts from this blog

Kubernetes terms made easy

when we have docker compose and we can define rules to run our containerized applications over there ... so why do we need k8s...? Well we can certainly manage very small containers... but handling large scale applications through this will certainly be a nightmare... Because ... large apps will need to scale automatically.. and docker compose requires manual intervention and scripting .. ahhh who will re invent the wheel... Let's k8s do this... Now when we know the importance of k8s .. we have to learn it's core components and it's architecture level working... k8$ environment have a company named ... control pane .. who is responsible for managing and running kubernetes clusters ....  This company, named control pane.. have a CEO.. named, API Server ...I wasn't talking about the actual CEO of kubernetes 😅... just an analogy... Every one discuss there matters with API server ... and api server talks to everyone ... It's kind of a brain of the company...  Next come...
Read more

Anomalies in Database

Anomaly is a fault which occurs in the poorly designed database , which leads to inconsistent, redundant and inefficient data. There are three kind of anomalies: - Insertion anomaly - Updation anomaly - Deletion anomaly Insertion Anomaly It occurs when we want to insert a particular kind of data, let's say Data#1, but due to the absence of a certain data, let's say Data#2, we were unable to add. Example If we have only one table for saving student and course, named std_course. We won't be able to add the new course until, we have the student information. std_course Table  Student_ID Student_Name Course Instructor Instructor_Contact 101 Ali DBMS Mr. Khan 123456789 102 Ahmed OS Mr. Ahsan 987654321 Suppos...
Read more