What is CORS?
Learn what CORS is — the same-origin policy, allow-origin headers and the preflight request — with examples and web development interview questions answered.
Expected Interview Answer
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that lets a server explicitly permit web pages from one origin to make requests to a different origin, relaxing the same-origin policy through a set of HTTP response headers.
By default the browser’s same-origin policy blocks a page on origin A from reading responses from origin B (a different scheme, host, or port). CORS lets the server opt in by returning headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. For requests that can change data or use non-simple headers, the browser first sends a preflight OPTIONS request to ask permission, and only proceeds if the response approves it. Crucially, CORS is enforced by the browser — it does not protect the server itself, and non-browser clients ignore it.
- Lets servers safely share resources with approved origins
- Keeps the same-origin policy protecting users by default
- Fine-grained control via allowed origins, methods and headers
- Preflight checks guard state-changing cross-origin requests
AI Mentor Explanation
CORS is like a members’ pavilion that only admits visitors from clubs on its approved list. By default the gatekeeper (the browser) turns away anyone from another ground — the same-origin rule. To let a specific away club in, the pavilion posts an approval notice naming that club, and for anything beyond a simple look-around the visitor must first ask at the door (the preflight) and be cleared. The host decides who is allowed; the gate enforces it.
Step-by-Step Explanation
Step 1
Same-origin by default
The browser blocks a page from reading responses from a different scheme, host, or port.
Step 2
Server opts in
Return Access-Control-Allow-Origin (and Methods/Headers) naming the permitted origins.
Step 3
Preflight for risky requests
Non-simple requests trigger an OPTIONS preflight the server must approve first.
Step 4
Browser enforces
If headers approve, the browser exposes the response; otherwise it blocks reading it.
What Interviewer Expects
- CORS relaxes the browser same-origin policy via response headers
- What defines an origin: scheme + host + port
- The preflight OPTIONS request and when it fires
- That CORS is browser-enforced, not server protection
Common Mistakes
- Thinking CORS protects the server rather than the browser user
- Using Access-Control-Allow-Origin: * together with credentials
- Confusing CORS blocking with the server rejecting the request
- Forgetting the preflight needs the OPTIONS method allowed
Best Answer (HR Friendly)
“CORS is a browser rule that decides whether a web page from one site is allowed to fetch data from another site. By default the browser blocks this, and the other site has to say yes by sending special headers. It protects users, and it is checked by the browser — not something that secures the server itself.”
Code Example
OPTIONS /api/orders (browser preflight)
Origin: https://app.example.com
Access-Control-Request-Method: POST
HTTP/1.1 204 No Content (server approves)
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, AuthorizationFollow-up Questions
- What is the same-origin policy and why does it exist?
- When does a request trigger a CORS preflight?
- Why can’t you use a wildcard origin with credentialed requests?
- How is CORS different from CSRF protection?
MCQ Practice
1. CORS is enforced by?
CORS is a browser mechanism; non-browser clients ignore it entirely.
2. Which header tells the browser which origin may read a response?
Access-Control-Allow-Origin names the origin(s) permitted to read the response.
3. A CORS preflight uses which HTTP method?
The browser sends an OPTIONS request to ask permission before the real request.
Flash Cards
What does CORS stand for? — Cross-Origin Resource Sharing — controlled relaxation of the same-origin policy.
What defines an origin? — The combination of scheme, host, and port.
What is a preflight? — An OPTIONS request the browser sends to ask the server’s permission before a risky request.
Who enforces CORS? — The browser — it does not protect the server, and non-browser clients ignore it.