CORS

A security rule that controls which websites can request data from your server — like a guest list that decides who gets past the door.

An HTTP mechanism where the server sends Access-Control-Allow-* headers to tell browsers which origins, methods, and headers are permitted for cross-origin requests. Preflight OPTIONS requests verify permissions before the actual request.

CORS is enforced by the browser, not the server — the server merely declares policy via response headers. Simple requests (GET/HEAD/POST with safelisted headers) skip preflight. Preflighted requests send an OPTIONS request with Origin, Access-Control-Request-Method, and Access-Control-Request-Headers; the server responds with allowed origins, methods, headers, and max-age for preflight caching. Credentials (cookies, Authorization) require Access-Control-Allow-Credentials: true and a non-wildcard Allow-Origin.