Cross-Origin Resource Sharing (CORS) is a mechanism that allows a server to indicate which origins are permitted to load its resources. Browsers enforce the same-origin policy by default and use CORS headers to relax it.
Key Points
- Must specify exact origin (no wildcards) and headers when allowing credentials
- Respond to preflight requests with a
204 No Content - Preflight (
OPTIONS) is triggered by non-simple requests (e.g. custom headers,PUT/DELETEmethods,application/jsoncontent type) Access-Control-Allow-Origin— which origins may access the resourceAccess-Control-Allow-Methods— permitted HTTP methodsAccess-Control-Allow-Headers— permitted request headersAccess-Control-Max-Age— how long preflight results can be cached