CORS (Cross‑Origin Resource Sharing) is a browser security mechanism that controls whether a web application is allowed to request resources from a different domain than the one it was loaded from. It is a controlled extension of the Same‑Origin Policy, which would otherwise block most cross‑site requests.
CORS allows a server to explicitly declare which origins are permitted to access its resources. Without this rule, a malicious website could attempt to read sensitive data from your account on another site.
| Header | Explanation |
|---|---|
| Access-Control-Allow-Origin: * | Allows any origin to access the resource (very risky for sensitive APIs). |
| Access-Control-Allow-Origin: https://example.com | Allows only the specified origin to access the resource. |
| Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH | Specifies which HTTP methods are allowed for cross-origin requests. |
| Access-Control-Allow-Headers: Content-Type, Authorization, X-Api-Key | Lists which custom request headers the client is allowed to send. |
| Access-Control-Allow-Credentials: true | Allows cookies and authentication data in cross-origin requests; cannot be used with "*". |
| Access-Control-Expose-Headers: X-RateLimit-Remaining, X-Custom-Header | Allows the browser to read specific response headers that are normally hidden. |
| Access-Control-Max-Age: 86400 | Defines how long the browser may cache the preflight response (in seconds). |
| Access-Control-Request-Method: PUT | Sent by the browser during preflight to ask if the HTTP method is allowed. |
| Access-Control-Request-Headers: Authorization, X-Api-Key | Sent by the browser during preflight to ask if custom headers are allowed. |
| Origin: https://client.com | Sent by the browser to indicate the origin of the request. |
| Vary: Origin | Instructs caches that the response may vary depending on the Origin header. |
| Vary: Access-Control-Request-Headers | Ensures caches treat responses differently based on requested headers. |
| Vary: Access-Control-Request-Method | Ensures caches treat responses differently based on requested methods. |
| Timing-Allow-Origin: * | Allows cross-origin access to detailed performance timing information. |
| Timing-Allow-Origin: https://example.com | Allows only the specified origin to access performance timing data. |
| Access-Control-Allow-Private-Network: true | Allows requests to private network resources (used in newer browser security models). |
| Cross-Origin-Opener-Policy: same-origin | Isolates the browsing context from cross-origin pages to prevent data leaks. |
| Cross-Origin-Opener-Policy: same-origin-allow-popups | Allows popups but keeps the main page isolated from cross-origin interference. |
| Cross-Origin-Opener-Policy: unsafe-none | Disables isolation; allows cross-origin interactions (least secure). |
| Cross-Origin-Embedder-Policy: require-corp | Requires embedded resources to explicitly allow cross-origin embedding (needed for SharedArrayBuffer). |
| Cross-Origin-Embedder-Policy: unsafe-none | Allows embedding any resource without restrictions (not secure). |
| Cross-Origin-Resource-Policy: same-origin | Restricts resource loading to the same origin only. |
| Cross-Origin-Resource-Policy: same-site | Allows resource loading from the same site but different subdomains. |
| Cross-Origin-Resource-Policy: cross-origin | Allows resource loading from any origin. |
| Cross-Origin-Opener-Policy-Report-Only | Reports violations of COOP without enforcing them. |
| Cross-Origin-Embedder-Policy-Report-Only | Reports violations of COEP without enforcing them. |
| Content-Security-Policy: script-src 'self' | Restricts which scripts can run; critical for preventing cross-origin script injection. |
| Content-Security-Policy: worker-src 'self' | Controls which origins can load Web Workers; required for secure WASM execution. |
| Content-Security-Policy: frame-ancestors 'none' | Prevents the page from being embedded in iframes (anti-clickjacking). |
| Content-Security-Policy: require-trusted-types-for 'script' | Protects against DOM XSS by enforcing Trusted Types. |
| Permissions-Policy: shared-array-buffer=(self) | Allows SharedArrayBuffer only in isolated contexts (COOP + COEP required). |
| Permissions-Policy: fullscreen=(self) | Controls which origins can request fullscreen mode. |
| Permissions-Policy: geolocation=() | Blocks geolocation access for all origins. |
| Referrer-Policy: no-referrer | Prevents sending the Referer header to any destination. |
| Referrer-Policy: strict-origin-when-cross-origin | Sends full referrer on same-origin requests, but only origin on cross-origin. |
| Sec-Fetch-Site: cross-site | Indicates the request came from a different site; used by browsers for security decisions. |
| Sec-Fetch-Mode: cors | Indicates the request is a CORS request. |
| Sec-Fetch-Dest: script | Indicates the destination type of the request (script, image, iframe, etc.). |
| Sec-Fetch-User: ?1 | Indicates the request was triggered by a user interaction. |
| Report-To: {"group":"coop","max_age":10886400} | Defines where browsers should send COOP/COEP violation reports. |
| NEL: {"report_to":"coop","max_age":10886400} | Network Error Logging; allows reporting of network failures. |
