By Alex Silva in CORS — Jan 20, 2025

Understanding CORS: Why Even Senior Developers Struggle with It

Photo by Patrick Robert Doyle / Unsplash

Cross-Origin Resource Sharing (CORS) is one of those topics in web development that often confounds even seasoned developers. At its core, CORS is a security feature implemented by browsers to control how resources are shared between different origins. While it might seem as simple as adding Access-Control-Allow-Origin: *, the truth is far more complex. In this blog post, we’ll unravel the intricacies of CORS, explore common pitfalls, and explain why mastering it is essential for every developer.

What is CORS and Why Does It Exist?

CORS is a browser security feature that governs how resources like APIs, scripts, and stylesheets can be shared between different origins (domains, protocols, and ports). It prevents unauthorized access to sensitive resources from potentially malicious websites.

For example, if your website https://example.com tries to fetch data from https://api.otherdomain.com, the browser ensures the server explicitly allows this interaction through CORS headers. Without proper headers, the browser blocks the request, even if the server responds.

Why CORS Isn’t Just About `Access-Control-Allow-Origin: *`

Many developers assume that setting Access-Control-Allow-Origin: * solves all CORS issues. However, this approach:

Reduces Security: It allows any origin to access your resources, which can lead to data leaks or unauthorized API usage.
Fails in Complex Scenarios: Requests involving cookies or authentication tokens require more specific settings.

Proper CORS management involves understanding and configuring several headers beyond Access-Control-Allow-Origin.

Key CORS Headers and Their Roles

1. Access-Control-Allow-Origin

Defines which origins are allowed to access the resource. For example:

Access-Control-Allow-Origin: https://example.com

2. Access-Control-Allow-Methods

Specifies which HTTP methods (GET, POST, PUT, DELETE, etc.) are permitted.

Access-Control-Allow-Methods: GET, POST

3. Access-Control-Allow-Headers

Lists custom headers the client can use in the request. For example:

Access-Control-Allow-Headers: Content-Type, Authorization

4. Access-Control-Allow-Credentials

Enables cookies and authentication tokens to be sent with cross-origin requests.

Access-Control-Allow-Credentials: true

5. Access-Control-Expose-Headers

Specifies which headers can be accessed by the client in the response.

6. Access-Control-Max-Age

Determines how long the CORS preflight request can be cached by the browser to improve performance.

The Anatomy of a CORS Request

CORS requests can be categorized as:

Simple Requests: Requests using GET or POST with standard headers like Content-Type: application/x-www-form-urlencoded.
Preflight Requests: For more complex operations (e.g., custom headers or methods), the browser sends a preflight OPTIONS request to check the server’s CORS policy.

Example of a Preflight Request

OPTIONS /api/resource HTTP/1.1  
Origin: https://example.com  
Access-Control-Request-Method: POST  
Access-Control-Request-Headers: Content-Type, Authorization

Server’s Response

HTTP/1.1 200 OK  
Access-Control-Allow-Origin: https://example.com  
Access-Control-Allow-Methods: POST  
Access-Control-Allow-Headers: Content-Type, Authorization

Common Pitfalls and How to Avoid Them

1. Misconfigured Allow-Origin

Using * with Access-Control-Allow-Credentials: true causes an error. Instead, specify the origin explicitly.

2. Ignoring Preflight Requests

Some servers don’t handle OPTIONS requests properly, leading to CORS failures. Ensure your backend is configured to respond to OPTIONS requests.

3. Overly Permissive Headers

Allowing all methods or headers may expose your API to security risks. Be specific about what your API requires.

4. Confusion Between Client and Server Responsibilities

CORS is entirely managed by the server. If a CORS error occurs, the client cannot fix it.

CORS in Real-World Scenarios

Example: Fetching an API with Authentication

A frontend app at https://example.com needs to fetch data from https://api.example.com with a token:

fetch('https://api.example.com/data', {  
  method: 'GET',  
  credentials: 'include',  
  headers: {  
    'Authorization': 'Bearer token123',  
  },  
});

Server’s Response Headers

Access-Control-Allow-Origin: https://example.com  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Headers: Authorization

Example: Handling Multiple Origins

For APIs serving multiple clients, dynamically set Access-Control-Allow-Origin based on the request origin:

const allowedOrigins = ['https://client1.com', 'https://client2.com'];  
app.use((req, res, next) => {  
  const origin = req.headers.origin;  
  if (allowedOrigins.includes(origin)) {  
    res.setHeader('Access-Control-Allow-Origin', origin);  
  }  
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST');  
  next();  
});

Tips for Debugging CORS Issues

Use Browser Developer Tools: Check the network tab for CORS errors and examine headers.
Leverage Logs: Add logging to your server’s CORS middleware to troubleshoot requests.
Test with Tools: Use tools like Postman to send cross-origin requests without browser restrictions.

Conclusion: Mastering CORS Like a Pro

CORS is more than just adding Access-Control-Allow-Origin: * to your server. It requires understanding the interplay between client requests, server responses, and browser enforcement. By learning the nuances of CORS headers, preflight requests, and secure configurations, you can prevent errors and ensure seamless cross-origin interactions.

Even experienced developers struggle with CORS because it combines security, networking, and browser behavior in complex ways. But with practice and careful configuration, you can handle CORS like a true professional.