Skip to content

CORS: Definition, Syntax, and Examples

TL;DR:

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls requests from one domain to another. The server uses Access-Control-Allow-Origin header to explicitly declare which origins may read data. Without proper CORS, JavaScript from example.com cannot fetch api.another.com.

Check your site →

What is a CORS

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls requests from one domain to another. The server uses Access-Control-Allow-Origin header to explicitly declare which origins may read data. Without proper CORS, JavaScript from example.com cannot fetch api.another.com.

Check CORS online

Use the Enterno.io tool — enter a domain, get results in 1-2 seconds. Free, no signup.

Check →

Understanding CORS Headers

CORS operates through a set of HTTP headers that dictate how web browsers handle cross-origin requests. The primary header for CORS is Access-Control-Allow-Origin, which specifies which origins are permitted to access the resources on the server. Here’s a breakdown of the most common CORS headers:

  • Access-Control-Allow-Origin: This header defines the allowed origin(s) that can access the resource. It can be a specific origin (e.g., https://example.com) or a wildcard (*) which allows all origins.
  • Access-Control-Allow-Methods: This header lists the HTTP methods (e.g., GET, POST, PUT) that are allowed when accessing the resource.
  • Access-Control-Allow-Headers: This header specifies which headers can be used during the actual request.
  • Access-Control-Allow-Credentials: This header indicates whether the browser should include credentials (like cookies or HTTP authentication) with requests.
  • Access-Control-Expose-Headers: This header lets the server expose specific headers to the client.

By configuring these headers, developers can control how their web applications interact with resources from different origins, thus enhancing security and functionality.

Common CORS Errors and Troubleshooting

When working with CORS, developers often encounter specific errors that can disrupt the functionality of their applications. Understanding these errors can help in troubleshooting and resolving issues effectively. Here are some of the most common CORS-related errors:

  • Access-Control-Allow-Origin Error: This error occurs when the server does not include the Access-Control-Allow-Origin header in its response, or when the specified origin does not match the request's origin. To resolve this, ensure that the server includes the correct header in its response.
  • No 'Access-Control-Allow-Credentials' Header: If credentials are included in the request (e.g., cookies), but the server does not allow credentials, the browser will block the request. To fix this, set Access-Control-Allow-Credentials to true on the server.
  • Preflight Request Failure: Browsers send a preflight request (OPTIONS) before the actual request to check permissions. If the server does not respond correctly to the preflight request, the actual request will fail. Ensure that the server properly handles OPTIONS requests and responds with the appropriate CORS headers.

By understanding these errors, developers can implement effective solutions, ensuring smooth cross-origin interactions in their applications.

Configuring CORS in Different Environments

Configuring CORS can differ based on the web server or framework you are using. Below are examples of how to configure CORS for popular web servers:

  • Node.js with Express: To enable CORS in a Node.js application using Express, you can use the cors middleware:
  • const cors = require('cors');
    app.use(cors({ origin: 'https://example.com' }));

    This configuration allows requests only from https://example.com.

  • Apache Server: To configure CORS in an Apache server, you can add the following lines to your .htaccess file:
  • Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type"

    This configuration allows requests from any origin and specifies allowed methods and headers.

  • Nginx: For Nginx, you can add the following directives in your server block:
  • add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'Content-Type';

    These configurations help ensure that your application properly handles CORS requests in various environments.

Learn more

Frequently Asked Questions

How does CORS differ from similar concepts?

See the full breakdown in the article above. For a quick check, use our online tool.

Does this need manual updates?

Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.