CORS

Cross-Origin Resource Sharing only applies in a browser context and is a security mechanism to allow one origin to make a request to another origin. All browsers follow the Single Origin Policy, meaning by default scripts cannot make requests to other origins - but if the server provides properly configured CORS headers this policy can be selectively relaxed. Thus CORS is a way of selectively loosening security and not of tightening it.

When a website makes an XHR request to another origin, the browser initiates a preflight OPTIONS request first - and the original request is only made if the server responds to this preflight with a list of allowed origins, and this list contains the origin of the current page.

Note that CORS preflight requests are not made for GET HEAD POST requests with default headers.

Some key headers sent as a response to an OPTIONS request:

access-control-allow-credentials: If set, cookies are sent by the browser

access-control-allow-origin: The list of origins allowed to make requests, or '*' to allow anyone to make requests. If access-control-allow-credentials is set then this cannot be set to '*' or the browser will reject the request anyway

access-control-allow-methods: The list of HTTP methods allowed to communicate - POST, PUT, etc.